latentbot | 528f9b4811ea7be8abb7faa45a54856f0f6d58382524729ec41cba144d1b2bd6

General

Target

efe28956830f08d43ef57ee055ef1280_JaffaCakes118.exe
Size

1.9MB
MD5

efe28956830f08d43ef57ee055ef1280
SHA1

a4d3ca2a414516fa4358afc0890f9a226aabb3b8
SHA256

528f9b4811ea7be8abb7faa45a54856f0f6d58382524729ec41cba144d1b2bd6
SHA512

4e40943bd8c68a218c3e90ed71032f049a3fadbc3edbf1f2e1665e98d62c65fef3fef5502f3e70116e21ac9e6516bc7a0d9d77a1c251f5902dcf908578e73205
SSDEEP

49152:nP0mqTvU/Dz6hQAEVyLDri/GDgOHhT34o0qrG:cmGqDzRVyLPiWhmD

Score

10^/10

latentbot discovery persistence trojan

Malware Config

Extracted

Family

latentbot

C2

yeniceriler.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Executes dropped EXE 3 IoCs

pid	Process
2752	standard.exe
3040	PATRONUS KOXP V2.5.EXE
2768	RUNDLL.EXE

Loads dropped DLL 8 IoCs

pid	Process
2700	efe28956830f08d43ef57ee055ef1280_JaffaCakes118.exe
2700	efe28956830f08d43ef57ee055ef1280_JaffaCakes118.exe
2752	standard.exe
2752	standard.exe
2752	standard.exe
2752	standard.exe
2768	RUNDLL.EXE
3040	PATRONUS KOXP V2.5.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll = "\"C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe \""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efe28956830f08d43ef57ee055ef1280_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	standard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PATRONUS KOXP V2.5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RUNDLL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3064	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2700	efe28956830f08d43ef57ee055ef1280_JaffaCakes118.exe
2752	standard.exe
2752	standard.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3040	PATRONUS KOXP V2.5.EXE
2768	RUNDLL.EXE
3040	PATRONUS KOXP V2.5.EXE
3040	PATRONUS KOXP V2.5.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2752	2700	efe28956830f08d43ef57ee055ef1280_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2752	2700	efe28956830f08d43ef57ee055ef1280_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2752	2700	efe28956830f08d43ef57ee055ef1280_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2752	2700	efe28956830f08d43ef57ee055ef1280_JaffaCakes118.exe	30
PID 2752 wrote to memory of 3040	2752	standard.exe	31
PID 2752 wrote to memory of 3040	2752	standard.exe	31
PID 2752 wrote to memory of 3040	2752	standard.exe	31
PID 2752 wrote to memory of 3040	2752	standard.exe	31
PID 2752 wrote to memory of 2768	2752	standard.exe	32
PID 2752 wrote to memory of 2768	2752	standard.exe	32
PID 2752 wrote to memory of 2768	2752	standard.exe	32
PID 2752 wrote to memory of 2768	2752	standard.exe	32
PID 2768 wrote to memory of 2548	2768	RUNDLL.EXE	33
PID 2768 wrote to memory of 2548	2768	RUNDLL.EXE	33
PID 2768 wrote to memory of 2548	2768	RUNDLL.EXE	33
PID 2768 wrote to memory of 2548	2768	RUNDLL.EXE	33
PID 2548 wrote to memory of 2960	2548	cmd.exe	35
PID 2548 wrote to memory of 2960	2548	cmd.exe	35
PID 2548 wrote to memory of 2960	2548	cmd.exe	35
PID 2548 wrote to memory of 2960	2548	cmd.exe	35
PID 2960 wrote to memory of 3064	2960	cmd.exe	36
PID 2960 wrote to memory of 3064	2960	cmd.exe	36
PID 2960 wrote to memory of 3064	2960	cmd.exe	36
PID 2960 wrote to memory of 3064	2960	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\efe28956830f08d43ef57ee055ef1280_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efe28956830f08d43ef57ee055ef1280_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\standard.exe
  C:\Users\Admin\AppData\Local\Temp\\standard.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Roaming\PATRONUS KOXP V2.5.EXE
    "C:\Users\Admin\AppData\Roaming\PATRONUS KOXP V2.5.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3040
- - C:\Users\Admin\AppData\Roaming\RUNDLL.EXE
    "C:\Users\Admin\AppData\Roaming\RUNDLL.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
145B

MD5
6b8393408a3f2df19ff1e68a4f720729

SHA1
03cbc980dd47a33bdfa18be80cbd3efdbbaf95c6

SHA256
623fecae412449f60ffd8f38862e73504124afb0754952a45103daff0de5a7c9

SHA512
235e3c1f0074282c8cd8d6d9b6dc0c71ae591f5ca6a2f2248f832359a1a452cfce26b5f80fddc5acd5aae811630441b640212b9b7a885f2d69e67813d8d846ca

Download Submit
\Users\Admin\AppData\Local\Temp\standard.exe

Filesize
1.6MB

MD5
79fdd2bd3d0673dff7fb912d504ebeea

SHA1
ceb3de090834500b9aa6dacef10cfe2cba62c44d

SHA256
b47648fea36c7550eed009a969ff9d578be201bba9e0c7dbe5b018bcdaa08f6a

SHA512
f7ab649a67fc1e7c20bff3b2a4ebb2b332dc36846ca19829d80bb7fd9e97512d9de9901e85e99be0a706bf7ddeae2b90af6018eafea8e309c35657fe729550f2

Download Submit
\Users\Admin\AppData\Roaming\ntldr.dll

Filesize
93KB

MD5
19fc09ffc7c367c396bd944ac36929e5

SHA1
09b4b657ca58881a649e16fc5dffe921e4f05056

SHA256
2d881e059893bc0bfb41d2a515f4ecca0e372df9048a00c873381eb9ae950852

SHA512
d15f9d8099f11611ea117b8302f27362180c4898e1bd52bc026d9a00b5a3010508b5c6fc65fb7dadf20f388c841296703acbd78abe44948ddcd643b530372577

Download Submit
\Users\Admin\AppData\Roaming\patronus koxp v2.5.exe

Filesize
344KB

MD5
0d0b141694c9f13ae53066614b1de6be

SHA1
051311856362e56807fde84d48e8b2b3a2e7d306

SHA256
57aeb17be53f956b5cc7aa3d07312f853460150b0c3b699daac2e7ca98ad01c6

SHA512
bf1a67e0b1d0d575cf56c7a634fdda4c91901d269606173d3bdc1542c2907987eb2b1616a86e770d9aec44ee7986283fb5639ace461aae5a8f6ab3b95fd243f1

Download Submit
\Users\Admin\AppData\Roaming\rundll.exe

Filesize
678KB

MD5
b4d736875783a1048e6e216d3b2b38c6

SHA1
1496c92d77fef5a02934bccec920c08ea97f43f7

SHA256
1de33c51c314957f3fc1084cbeac14ac6b1552da21b7fd91e604aca00e514b98

SHA512
d64d43663330caef3f8a65a37b9ab93b4a662308776faf390f3d1b59e9540572b7f262b04acd3737a90fbe542773ac94e32413058d84024c6c3e388e918a3865

Download Submit
memory/2700-10-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2752-29-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2752-8-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2768-34-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2768-47-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2768-48-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2768-49-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3040-37-0x0000000000500000-0x000000000051C000-memory.dmp

Filesize
112KB

Download
memory/3040-46-0x0000000000500000-0x000000000051C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads