latentbot | 897ae0e9125628c87a54bd0f6dc2404762369d84d7596ff30bb07ffa34cedeb0

Analysis

max time kernel
128s
max time network
129s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe
Size

498KB
MD5

fbc87dc904ff343986d666a7cf0200bf
SHA1

8dd6e63a894b96c5c49e4dcf3c4ff8354f36ac1c
SHA256

897ae0e9125628c87a54bd0f6dc2404762369d84d7596ff30bb07ffa34cedeb0
SHA512

3df0aa912799c773e35e0bca384397bb479e8ca878e0504cff6640e4723e1d91e99011941a91501e5c623778f8e3aca08810ce47573620c641fda0bffd2fff8c
SSDEEP

6144:6aRjSA9AmP5OudPJ1xv6THAmuKMAYHCNR3KuljRzGS:1etw5JdPJ1xv6THAN3jiG4jRz

Score

10^/10

latentbot discovery evasion persistence trojan

Malware Config

Extracted

Family

latentbot

eustachuspyotr.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Executes dropped EXE 1 IoCs

pid	Process
2864	njYsiZnxggTGhEQ.exe

Loads dropped DLL 2 IoCs

pid	Process
1196	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe
1196	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe ARM = "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TkBellExe = "C:\\Program Files (x86)\\Common Files\\Real\\Update_OB\\realsched.exe"	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe"	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	njYsiZnxggTGhEQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1196	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe
2864	njYsiZnxggTGhEQ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe
Token: SeDebugPrivilege	2864	njYsiZnxggTGhEQ.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2412	1196	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe	30
PID 1196 wrote to memory of 2412	1196	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe	30
PID 1196 wrote to memory of 2412	1196	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe	30
PID 1196 wrote to memory of 2412	1196	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe	30
PID 2412 wrote to memory of 2500	2412	vbc.exe	32
PID 2412 wrote to memory of 2500	2412	vbc.exe	32
PID 2412 wrote to memory of 2500	2412	vbc.exe	32
PID 2412 wrote to memory of 2500	2412	vbc.exe	32
PID 1196 wrote to memory of 2864	1196	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe	33
PID 1196 wrote to memory of 2864	1196	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe	33
PID 1196 wrote to memory of 2864	1196	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe	33
PID 1196 wrote to memory of 2864	1196	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe	33
PID 2864 wrote to memory of 2232	2864	njYsiZnxggTGhEQ.exe	34
PID 2864 wrote to memory of 2232	2864	njYsiZnxggTGhEQ.exe	34
PID 2864 wrote to memory of 2232	2864	njYsiZnxggTGhEQ.exe	34
PID 2864 wrote to memory of 2232	2864	njYsiZnxggTGhEQ.exe	34
PID 2232 wrote to memory of 2776	2232	vbc.exe	36
PID 2232 wrote to memory of 2776	2232	vbc.exe	36
PID 2232 wrote to memory of 2776	2232	vbc.exe	36
PID 2232 wrote to memory of 2776	2232	vbc.exe	36

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUninstallerDetection = "0"	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1196
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nd6jmkvx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA574.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA573.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2500
- C:\Users\Admin\AppData\Local\Temp\njYsiZnxggTGhEQ.exe
  "C:\Users\Admin\AppData\Local\Temp\njYsiZnxggTGhEQ.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yvk8c54s.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA7D3.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA574.tmp

Filesize
1KB

MD5
9d5300497b5dc1bb6cb7cd2499c24617

SHA1
9c4f6253c10ada702f81d6c001116e706cf8e3ac

SHA256
b7ef4f86c92e25576512a0d6fc48f8e33148c9a5d0e78b5873c0b8e3d4f044c2

SHA512
88d2657ffd9092f67e4743e63d5fa7686956081ef0d2ee05db3ca56ab23ee62ddc65d303e9ded4e93afccf8d95f9bbb2c49258f877b16db0fd302220caf79f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA7F4.tmp

Filesize
1KB

MD5
a772775f84bead95a350ed9619be1cad

SHA1
edcd5f4afba3200c80a1e8e2206af538c9706bdc

SHA256
a858ad5fd051cf02de47abe6dfe35b31a3d51ae92ce5a38d39a0aa83a264c301

SHA512
0c15fb02b0065d396e2769ec4186052751ccbf87aca05da2c4c2268a784b70b907edcadc0208913d04a83c255cfff8f3106bfe900d05f3bcd9a34e913f49db46

Download Submit
C:\Users\Admin\AppData\Local\Temp\nd6jmkvx.0.vb

Filesize
68KB

MD5
cf6f2da0326a3d5aeace25f6ec5e6308

SHA1
e81169f2b77556e7f0879065ce55184b081e40df

SHA256
9915e7080f8cabbfc9ca12d040b38e15e7d57609f5360784234646bf1d077b24

SHA512
e8b873b2c0858e57707b8d4bf48cd60c47a760dd521737ee9bb8a1ad5cbb09fc9c8f97d088a6f9e14068a42627631eee42dec56ce177553f3e9099ce2441b54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nd6jmkvx.cmdline

Filesize
276B

MD5
ef11f4deea630b5b3b8e74aba16816d1

SHA1
9021be83328b259a77277e0453e891841b9cf751

SHA256
f4f4e1a32fba004b0f5c27c0f66ce5bca1e98e631ba628fa7700f14a6b9bfad1

SHA512
2f5d743bb7e80830691ccd931430f0e94673870f7bbe1ea1bc1ff5c5ee1447e4216c531c28f2fd2cc43e8f3f5e71fa4ec4cd27c4c2a0367dd77866c0fa62b2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nd6jmkvx.dll

Filesize
48KB

MD5
c8d7ce72e69294cbde81fb0e43c9acf5

SHA1
bbe4b6436f96f73808cb9f4aa5ba23cae1aadf1a

SHA256
452dff411dec57ded56e709887c7b4810f76aeb2c2aae7d01aa17bb1f948eb22

SHA512
3da56476857db92476c953ae896b25f27cf065deb7545bfb6ead1129b6bea7483653a4b05bd187e711797961c59c8ad1f7d27ec3fb8d99953f9769cc7c3fe774

Download Submit
C:\Users\Admin\AppData\Local\Temp\njYsiZnxggTGhEQ.exe

Filesize
152KB

MD5
403ad6cf20425c0fd6fa4b5ba7c092ed

SHA1
7a67a90f17cae0fd01f601c25eb859ad2d5404bc

SHA256
b8bd14ff469e74511e09632a326facecdd4f0dce768592c372a8c29a5342cf4f

SHA512
e9484c29f170ac7da91eed2bec5e0b6ac596fa2cfbdfca17fa1dbb6129ec95d9cd538f4b417ae7462f6ddf6d21812a68441236a5233f9ed43b916ee3de8349ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA573.tmp

Filesize
652B

MD5
14ac2679c320c9a9fbebcfd4353c4123

SHA1
491ad38facb3e9bb3a7c607a0da402b607927910

SHA256
af413b416694c83e4e255090dcd39c4fe8bda177527f51e8df224b7b851a88e7

SHA512
ebab0b8098e8b66549e08d7f52d50a191de568034c68e01c2e5a0438eb254fbf3c94f4dff7151a6c477761898e407288c6a21ae968219b86efaffab6dd3c7df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA7D3.tmp

Filesize
652B

MD5
f669b3430c1019369b4a9c8a1836694f

SHA1
6ed97d461942d3afc9c532ef8f1dc942788f5558

SHA256
1c2a7897160921f0cd9e1438c0b71c44343f468114368c575833c0984c8af927

SHA512
2ad5a84a9948e22d7d7ac78aa92d17a90ee6876ed785c1450e65aaed4844dd6e62c59e78208b9b7ccb73b74baa94697814307250a8d572dd0e63eb00f32d39ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvk8c54s.0.vb

Filesize
70KB

MD5
ad1d999c3c3174edceedffb2ed8be6df

SHA1
410e05d3c708c770b0d62880c0e8440bc9ac61f0

SHA256
41f56d2a6ec0d05fc5e2f2b86660188e605cfc0016a62c8b90fa69617224947c

SHA512
4ef385bc176eb90e054efbe60f199fe9fec98ad2e123a73a9311205813bf8ee97dcf5599574c08f05c407c075216cde4f19da1f525c00ed26f4f92808672a42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvk8c54s.cmdline

Filesize
276B

MD5
a30be221f3e16c239afcb70ccfdd12b2

SHA1
a578948548d7d394abc4f4ffbe2c79421fcab1d2

SHA256
e0b3466da5a4fde6e2fb6c623459a1b8c913a45e85e83fc2c194b0872e0f005b

SHA512
10e29ef4c6e372a06bf6402ab24f6a9f851e4b68941fe86ee7c58b4f2a53bec1854746b94b3254889671178288780e2b55d8ac06d3a84f98037d3caf8de0cb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvk8c54s.dll

Filesize
48KB

MD5
1eea340955d5919642275e76a3dd1d4f

SHA1
386b666f079ace7a4157b61b2d6b3f4fa6860d22

SHA256
f052b778181d0dc9f04a610eaa2c2568fbfc54a72f56daec0031e1dba2c48b40

SHA512
afaa4a5e8241bfa222e2dabdabf5eec6a3adab861b9501cbfccdcdad8dd40c0f859a1229eaec0281a1f04ff53f341c7b41f0beca9760f49a478144a6119ab6bf

Download Submit
memory/1196-0-0x00000000747D1000-0x00000000747D2000-memory.dmp

Filesize
4KB

Download
memory/1196-2-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1196-1-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/1196-31-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2412-7-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2412-16-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download