General
-
Target
23a5eb38c422eba6ad53f6f87750a409_JaffaCakes118
-
Size
1.0MB
-
Sample
241008-xc71naxarh
-
MD5
23a5eb38c422eba6ad53f6f87750a409
-
SHA1
deedef041d8adba3a03bf0171034361b9addea85
-
SHA256
baaf52f06256430addfe4303d0c4e0643c3d0c0a10f50912dc1d4a44d3d63265
-
SHA512
a7c9885d2995b977452c40ff469c01e92e57d7a76050f7915128d98892566c6c1c2897e2f023a0d26b2edf56051484084c01ab8ce24b96060643845447ae50b8
-
SSDEEP
24576:qGVOaElGNkG1BZ1i3NTjL++PzFRdE89K7j8jEShHYWrnF8LNYwA8J5:eCtEJz37I70ESlYWLaBr5
Malware Config
Extracted
latentbot
eragondaboss.zapto.org
1eragondaboss.zapto.org
2eragondaboss.zapto.org
3eragondaboss.zapto.org
4eragondaboss.zapto.org
5eragondaboss.zapto.org
6eragondaboss.zapto.org
7eragondaboss.zapto.org
8eragondaboss.zapto.org
Targets
-
-
Target
23a5eb38c422eba6ad53f6f87750a409_JaffaCakes118
-
Size
1.0MB
-
MD5
23a5eb38c422eba6ad53f6f87750a409
-
SHA1
deedef041d8adba3a03bf0171034361b9addea85
-
SHA256
baaf52f06256430addfe4303d0c4e0643c3d0c0a10f50912dc1d4a44d3d63265
-
SHA512
a7c9885d2995b977452c40ff469c01e92e57d7a76050f7915128d98892566c6c1c2897e2f023a0d26b2edf56051484084c01ab8ce24b96060643845447ae50b8
-
SSDEEP
24576:qGVOaElGNkG1BZ1i3NTjL++PzFRdE89K7j8jEShHYWrnF8LNYwA8J5:eCtEJz37I70ESlYWLaBr5
Score10/10-
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
-
Modifies firewall policy service
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
5Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4