General

  • Target

    ec030d3276115a3c890665b0725585f5_JaffaCakes118

  • Size

    510KB

  • Sample

    240919-xwllrsvgqb

  • MD5

    ec030d3276115a3c890665b0725585f5

  • SHA1

    5c7a2b3f748602f9c43b254e46b196eaab93d78e

  • SHA256

    331a1d704573224a0efc415feaf7b3666d3739ea1a03d0af1248687f065e9b3d

  • SHA512

    95af61fcd6ee514ff612283f69c182c6c89c0074b395374ada4a6cd110914a75da624c48b9d76009f68adc6fa985ef8b87b873a0a51a271c09ce8f4239fa3d42

  • SSDEEP

    12288:4M7VEBOPLt0/mAz36UHcTNN6Fi4o7A7Epu4ETMWYtLdZUkN1Oa6BGm7:17VEUPe/mc85Vu7M1LWBp7

Malware Config

Extracted

Family

latentbot

C2

snaggelpuss123.zapto.org

Targets

    • Target

      ec030d3276115a3c890665b0725585f5_JaffaCakes118

    • Size

      510KB

    • MD5

      ec030d3276115a3c890665b0725585f5

    • SHA1

      5c7a2b3f748602f9c43b254e46b196eaab93d78e

    • SHA256

      331a1d704573224a0efc415feaf7b3666d3739ea1a03d0af1248687f065e9b3d

    • SHA512

      95af61fcd6ee514ff612283f69c182c6c89c0074b395374ada4a6cd110914a75da624c48b9d76009f68adc6fa985ef8b87b873a0a51a271c09ce8f4239fa3d42

    • SSDEEP

      12288:4M7VEBOPLt0/mAz36UHcTNN6Fi4o7A7Epu4ETMWYtLdZUkN1Oa6BGm7:17VEUPe/mc85Vu7M1LWBp7

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

    • Modifies firewall policy service

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks