latentbot | 897ae0e9125628c87a54bd0f6dc2404762369d84d7596ff30bb07ffa34cedeb0

Analysis

max time kernel
103s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe
Size

498KB
MD5

fbc87dc904ff343986d666a7cf0200bf
SHA1

8dd6e63a894b96c5c49e4dcf3c4ff8354f36ac1c
SHA256

897ae0e9125628c87a54bd0f6dc2404762369d84d7596ff30bb07ffa34cedeb0
SHA512

3df0aa912799c773e35e0bca384397bb479e8ca878e0504cff6640e4723e1d91e99011941a91501e5c623778f8e3aca08810ce47573620c641fda0bffd2fff8c
SSDEEP

6144:6aRjSA9AmP5OudPJ1xv6THAmuKMAYHCNR3KuljRzGS:1etw5JdPJ1xv6THAN3jiG4jRz

Score

10^/10

latentbot discovery evasion persistence trojan

Malware Config

Extracted

Family

latentbot

eustachuspyotr.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2384	HCqLCsGRzymYzWi.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe ARM = "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TkBellExe = "C:\\Program Files (x86)\\Common Files\\Real\\Update_OB\\realsched.exe"	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe"	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HCqLCsGRzymYzWi.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4484	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe
4484	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe
2384	HCqLCsGRzymYzWi.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4484	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	HCqLCsGRzymYzWi.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 2076	4484	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe	82
PID 4484 wrote to memory of 2076	4484	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe	82
PID 4484 wrote to memory of 2076	4484	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe	82
PID 2076 wrote to memory of 3712	2076	vbc.exe	84
PID 2076 wrote to memory of 3712	2076	vbc.exe	84
PID 2076 wrote to memory of 3712	2076	vbc.exe	84
PID 4484 wrote to memory of 2384	4484	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe	85
PID 4484 wrote to memory of 2384	4484	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe	85
PID 4484 wrote to memory of 2384	4484	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe	85
PID 2384 wrote to memory of 3176	2384	HCqLCsGRzymYzWi.exe	86
PID 2384 wrote to memory of 3176	2384	HCqLCsGRzymYzWi.exe	86
PID 2384 wrote to memory of 3176	2384	HCqLCsGRzymYzWi.exe	86
PID 3176 wrote to memory of 4316	3176	vbc.exe	88
PID 3176 wrote to memory of 4316	3176	vbc.exe	88
PID 3176 wrote to memory of 4316	3176	vbc.exe	88

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUninstallerDetection = "0"	fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbc87dc904ff343986d666a7cf0200bf_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4484
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pzs_qcyp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES738A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc60661D58FEE243AC85AA1C77C3223668.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3712
- C:\Users\Admin\AppData\Local\Temp\HCqLCsGRzymYzWi.exe
  "C:\Users\Admin\AppData\Local\Temp\HCqLCsGRzymYzWi.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n4e7x5st.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75EB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAB8BF1910D44BA4A6593A5C2CB8A4.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HCqLCsGRzymYzWi.exe

Filesize
152KB

MD5
403ad6cf20425c0fd6fa4b5ba7c092ed

SHA1
7a67a90f17cae0fd01f601c25eb859ad2d5404bc

SHA256
b8bd14ff469e74511e09632a326facecdd4f0dce768592c372a8c29a5342cf4f

SHA512
e9484c29f170ac7da91eed2bec5e0b6ac596fa2cfbdfca17fa1dbb6129ec95d9cd538f4b417ae7462f6ddf6d21812a68441236a5233f9ed43b916ee3de8349ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES738A.tmp

Filesize
1KB

MD5
0f8d4d3a4f6ddfd451f0d20c4d58ecc0

SHA1
426779f71b8dc88558451e04e89444f1f589bc29

SHA256
c83154340cf58476f10f2c36c949ac3689517ff902524b057eadccef3f28be12

SHA512
7b7dd284a1dad0a52ba28f84a40aa7fa1bb46a843512b7f27e26b9aa9af1ade9e844923ff9611748f0d9be800f29ffaf68f2dc4134fbae89b5dedadc96de8f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES75EB.tmp

Filesize
1KB

MD5
678928cf54b18537e81c133acc5ad6be

SHA1
560d2111cc065d85adbb477397ceafae4ef30d64

SHA256
9e2456167b5b330699ef4cc53cc079f098f1fdf3ea4b85000e960c718ace5880

SHA512
c37c92f243061aee36e8ac27553be97410c33326cecfc800ac99bb3d1b2c362a86c5aadd676be3e0b4985db65dccefcb1cba8abd9b3db586b38e1df375badb9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\n4e7x5st.0.vb

Filesize
70KB

MD5
ad1d999c3c3174edceedffb2ed8be6df

SHA1
410e05d3c708c770b0d62880c0e8440bc9ac61f0

SHA256
41f56d2a6ec0d05fc5e2f2b86660188e605cfc0016a62c8b90fa69617224947c

SHA512
4ef385bc176eb90e054efbe60f199fe9fec98ad2e123a73a9311205813bf8ee97dcf5599574c08f05c407c075216cde4f19da1f525c00ed26f4f92808672a42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\n4e7x5st.cmdline

Filesize
276B

MD5
dbc92de81d0287440efc57009935e7a5

SHA1
24c7dad2095ec9a3930b3d4e0a260074989b81e8

SHA256
a1aa07a64676fbd05d138525cbcf4267de8a9542606f1b5361284cd1ebddf139

SHA512
3c613248f0308036bc8739e93d59c1d7492aa96724017a607ff076462f97625d8e97798c55dee7612721b5829337bf8dbd92fec81fa21b560dcf6c05698049bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\n4e7x5st.dll

Filesize
48KB

MD5
2a24633d58ccee036e864dc58c247b33

SHA1
b329902442b268940dc079fb15e0cfec04dfd3ff

SHA256
7e16b08dbc7147c4702ff54fb0c6f102b5229e17c0fc903b57dcf0698540d63b

SHA512
dddbeb7dc0e7ddb8cfbde8801a14bf56b66b9c24dba619e8bf0346fc50a4d3be5dcd61421389324deb3b3b7dcf03d00856661dcee78f1e0b40423b9e56013f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzs_qcyp.0.vb

Filesize
68KB

MD5
cf6f2da0326a3d5aeace25f6ec5e6308

SHA1
e81169f2b77556e7f0879065ce55184b081e40df

SHA256
9915e7080f8cabbfc9ca12d040b38e15e7d57609f5360784234646bf1d077b24

SHA512
e8b873b2c0858e57707b8d4bf48cd60c47a760dd521737ee9bb8a1ad5cbb09fc9c8f97d088a6f9e14068a42627631eee42dec56ce177553f3e9099ce2441b54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzs_qcyp.cmdline

Filesize
276B

MD5
75cb4e35e6189e6994f2f8c42e155265

SHA1
3c7a99ef7c36290e75bdab5755a26b822d19e8ef

SHA256
11d82ec283f1ba42db7af777e0701424330e0ac91f3992cca835a94844bc337e

SHA512
b8b56ce8b4788ff2622e7dfd78e1dab6f2cdb61e0d15c6a02f143470436c052f6ff35da533e19ef2bcea078f75a8cd617ae5487283305f5d678d35dc3990db9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzs_qcyp.dll

Filesize
48KB

MD5
c1021084ec9992c0fc1b453d3cd075be

SHA1
d9031c1996fbe42786b91f3e231f7b710c762a86

SHA256
ca266114e04e7d47153c96689a75136f75c9e116894445ce106fbaee68d57768

SHA512
e8e04dd7b0e4a15f507b2c39bc548f01af1db38dcfda3bf3e5ddb89d68994dcc11179f48317bad409eef1e1a16decb1f051fef16b9be905f5c87f285badb8390

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc60661D58FEE243AC85AA1C77C3223668.TMP

Filesize
652B

MD5
9e71a5b2e21782a1bfa16c6e3c75d08f

SHA1
91498d9172107abe0efaee433db0de5545d04027

SHA256
924cc5c653301a277cd1657402d1ef2dab609716cf83380d4e1a4d83aa0fdd94

SHA512
b551a4863bc5e8d88c3156fdb64b121130892bc2502b73479a9f8073fea68761e49cf09bea8747fa794207436997066c674d769dd22bd4909c08a29aa7f1d45d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFAB8BF1910D44BA4A6593A5C2CB8A4.TMP

Filesize
652B

MD5
e73c9fe0526713c6a2e74e243862400f

SHA1
a769d4c067ce954e1b0cdc80f7087f04a8acfcc0

SHA256
968200b64b7edfaddfe8a12b57df19abd6c8c75f09e9927f304b2921056b0188

SHA512
fb7589749c626736513a3cad1960951e4847f00a0c643afee9803c5c5b30532d85fcc793aa32fe572b2c5fa455147c15999a315a42e7bdfb5d8a45158a9d3f2b

Download Submit
memory/2076-16-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/2076-7-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/2384-35-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/2384-39-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/2384-51-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/4484-34-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/4484-2-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/4484-1-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/4484-0-0x0000000074A52000-0x0000000074A53000-memory.dmp

Filesize
4KB

Download