Overview

overview

10

Static

static

3

efe2895683...18.exe

windows7-x64

10

efe2895683...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2024 13:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    efe28956830f08d43ef57ee055ef1280_JaffaCakes118.exe

  • Size

    1.9MB

  • MD5

    efe28956830f08d43ef57ee055ef1280

  • SHA1

    a4d3ca2a414516fa4358afc0890f9a226aabb3b8

  • SHA256

    528f9b4811ea7be8abb7faa45a54856f0f6d58382524729ec41cba144d1b2bd6

  • SHA512

    4e40943bd8c68a218c3e90ed71032f049a3fadbc3edbf1f2e1665e98d62c65fef3fef5502f3e70116e21ac9e6516bc7a0d9d77a1c251f5902dcf908578e73205

  • SSDEEP

    49152:nP0mqTvU/Dz6hQAEVyLDri/GDgOHhT34o0qrG:cmGqDzRVyLPiWhmD

Score
10/10
latentbotdiscoverypersistencetrojan

Malware Config

Extracted

Family

latentbot

C2

yeniceriler.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\efe28956830f08d43ef57ee055ef1280_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\efe28956830f08d43ef57ee055ef1280_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Users\Admin\AppData\Local\Temp\standard.exe
      C:\Users\Admin\AppData\Local\Temp\\standard.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Users\Admin\AppData\Roaming\PATRONUS KOXP V2.5.EXE
        "C:\Users\Admin\AppData\Roaming\PATRONUS KOXP V2.5.EXE"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4812
      • C:\Users\Admin\AppData\Roaming\RUNDLL.EXE
        "C:\Users\Admin\AppData\Roaming\RUNDLL.EXE"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1784
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2964
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
              6⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:3588
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:8
    1⤵
      PID:2316

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\run.bat
      Filesize

      145B

      MD5

      6b8393408a3f2df19ff1e68a4f720729

      SHA1

      03cbc980dd47a33bdfa18be80cbd3efdbbaf95c6

      SHA256

      623fecae412449f60ffd8f38862e73504124afb0754952a45103daff0de5a7c9

      SHA512

      235e3c1f0074282c8cd8d6d9b6dc0c71ae591f5ca6a2f2248f832359a1a452cfce26b5f80fddc5acd5aae811630441b640212b9b7a885f2d69e67813d8d846ca

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\standard.exe
      Filesize

      1.6MB

      MD5

      79fdd2bd3d0673dff7fb912d504ebeea

      SHA1

      ceb3de090834500b9aa6dacef10cfe2cba62c44d

      SHA256

      b47648fea36c7550eed009a969ff9d578be201bba9e0c7dbe5b018bcdaa08f6a

      SHA512

      f7ab649a67fc1e7c20bff3b2a4ebb2b332dc36846ca19829d80bb7fd9e97512d9de9901e85e99be0a706bf7ddeae2b90af6018eafea8e309c35657fe729550f2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\ntldr.dll
      Filesize

      93KB

      MD5

      19fc09ffc7c367c396bd944ac36929e5

      SHA1

      09b4b657ca58881a649e16fc5dffe921e4f05056

      SHA256

      2d881e059893bc0bfb41d2a515f4ecca0e372df9048a00c873381eb9ae950852

      SHA512

      d15f9d8099f11611ea117b8302f27362180c4898e1bd52bc026d9a00b5a3010508b5c6fc65fb7dadf20f388c841296703acbd78abe44948ddcd643b530372577

      Download Submit

    • C:\Users\Admin\AppData\Roaming\patronus koxp v2.5.exe
      Filesize

      344KB

      MD5

      0d0b141694c9f13ae53066614b1de6be

      SHA1

      051311856362e56807fde84d48e8b2b3a2e7d306

      SHA256

      57aeb17be53f956b5cc7aa3d07312f853460150b0c3b699daac2e7ca98ad01c6

      SHA512

      bf1a67e0b1d0d575cf56c7a634fdda4c91901d269606173d3bdc1542c2907987eb2b1616a86e770d9aec44ee7986283fb5639ace461aae5a8f6ab3b95fd243f1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\rundll.exe
      Filesize

      678KB

      MD5

      b4d736875783a1048e6e216d3b2b38c6

      SHA1

      1496c92d77fef5a02934bccec920c08ea97f43f7

      SHA256

      1de33c51c314957f3fc1084cbeac14ac6b1552da21b7fd91e604aca00e514b98

      SHA512

      d64d43663330caef3f8a65a37b9ab93b4a662308776faf390f3d1b59e9540572b7f262b04acd3737a90fbe542773ac94e32413058d84024c6c3e388e918a3865

      Download Submit

    • memory/2808-29-0x00000000004F0000-0x000000000050C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2808-33-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2808-43-0x00000000004F0000-0x000000000050C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2808-42-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/2808-44-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/3004-6-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4812-40-0x0000000002160000-0x000000000217C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4812-41-0x0000000002160000-0x000000000217C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4892-30-0x0000000000400000-0x000000000059E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4892-4-0x0000000000940000-0x0000000000941000-memory.dmp

      Filesize

      4KB

      Download