latentbot | 68a93828ffbba9ddc3a7a493c909b212af0c2184ab2a96040a13b88e1ea2be8a

General

Target

3cf91b6cf1dd24a262ee65a66067dac9_JaffaCakes118.exe
Size

1.2MB
MD5

3cf91b6cf1dd24a262ee65a66067dac9
SHA1

02b32bb0460c10b4050c2e97592a5c8971729935
SHA256

68a93828ffbba9ddc3a7a493c909b212af0c2184ab2a96040a13b88e1ea2be8a
SHA512

ad839c6718203f8694004450c758f7a14a38da8cb5996d034997c4f55cea947cd94fbfa3265e261625263e527658bd47948d462d630fec890e96704fb325b3c2
SSDEEP

24576:kRmJkcoQricOIQxiZY1WNi/NvDAFE7EMuoKqgvWNEWixOgwDwRaYO:hJZoQrbTFZY1WNiZEW7EMbwvjdLwDw8X

Score

10^/10

latentbot discovery evasion trojan

Malware Config

Extracted

Family

latentbot

C2

afflictionrat2.zapto.org

1afflictionrat2.zapto.org

2afflictionrat2.zapto.org

3afflictionrat2.zapto.org

4afflictionrat2.zapto.org

5afflictionrat2.zapto.org

6afflictionrat2.zapto.org

7afflictionrat2.zapto.org

8afflictionrat2.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\explorer.exe = "C:\\Windows\\SysWOW64\\explorer.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\7Z2WW37IAO2.exe = "C:\\Users\\Admin\\AppData\\Roaming\\7Z2WW37IAO2.exe:*:Enabled:Windows Messanger"	reg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/784-0-0x0000000000400000-0x00000000004CE000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3cf91b6cf1dd24a262ee65a66067dac9_JaffaCakes118.exe

description pid process target process

PID 784 set thread context of 2464 784 3cf91b6cf1dd24a262ee65a66067dac9_JaffaCakes118.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 784 set thread context of 2464	784	3cf91b6cf1dd24a262ee65a66067dac9_JaffaCakes118.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3cf91b6cf1dd24a262ee65a66067dac9_JaffaCakes118.execmd.execmd.execmd.exereg.exereg.exereg.exeexplorer.execmd.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cf91b6cf1dd24a262ee65a66067dac9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

2700 reg.exe
2788 reg.exe
2764 reg.exe
2668 reg.exe

pid	process
2700	reg.exe
2788	reg.exe
2764	reg.exe
2668	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

explorer.exe

description	pid	process
Token: 1	2464	explorer.exe
Token: SeCreateTokenPrivilege	2464	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	2464	explorer.exe
Token: SeLockMemoryPrivilege	2464	explorer.exe
Token: SeIncreaseQuotaPrivilege	2464	explorer.exe
Token: SeMachineAccountPrivilege	2464	explorer.exe
Token: SeTcbPrivilege	2464	explorer.exe
Token: SeSecurityPrivilege	2464	explorer.exe
Token: SeTakeOwnershipPrivilege	2464	explorer.exe
Token: SeLoadDriverPrivilege	2464	explorer.exe
Token: SeSystemProfilePrivilege	2464	explorer.exe
Token: SeSystemtimePrivilege	2464	explorer.exe
Token: SeProfSingleProcessPrivilege	2464	explorer.exe
Token: SeIncBasePriorityPrivilege	2464	explorer.exe
Token: SeCreatePagefilePrivilege	2464	explorer.exe
Token: SeCreatePermanentPrivilege	2464	explorer.exe
Token: SeBackupPrivilege	2464	explorer.exe
Token: SeRestorePrivilege	2464	explorer.exe
Token: SeShutdownPrivilege	2464	explorer.exe
Token: SeDebugPrivilege	2464	explorer.exe
Token: SeAuditPrivilege	2464	explorer.exe
Token: SeSystemEnvironmentPrivilege	2464	explorer.exe
Token: SeChangeNotifyPrivilege	2464	explorer.exe
Token: SeRemoteShutdownPrivilege	2464	explorer.exe
Token: SeUndockPrivilege	2464	explorer.exe
Token: SeSyncAgentPrivilege	2464	explorer.exe
Token: SeEnableDelegationPrivilege	2464	explorer.exe
Token: SeManageVolumePrivilege	2464	explorer.exe
Token: SeImpersonatePrivilege	2464	explorer.exe
Token: SeCreateGlobalPrivilege	2464	explorer.exe
Token: 31	2464	explorer.exe
Token: 32	2464	explorer.exe
Token: 33	2464	explorer.exe
Token: 34	2464	explorer.exe
Token: 35	2464	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

explorer.exe

pid process

2464 explorer.exe
2464 explorer.exe
2464 explorer.exe

pid	process
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

3cf91b6cf1dd24a262ee65a66067dac9_JaffaCakes118.exeexplorer.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 784 wrote to memory of 2464	784	3cf91b6cf1dd24a262ee65a66067dac9_JaffaCakes118.exe	explorer.exe
PID 784 wrote to memory of 2464	784	3cf91b6cf1dd24a262ee65a66067dac9_JaffaCakes118.exe	explorer.exe
PID 784 wrote to memory of 2464	784	3cf91b6cf1dd24a262ee65a66067dac9_JaffaCakes118.exe	explorer.exe
PID 784 wrote to memory of 2464	784	3cf91b6cf1dd24a262ee65a66067dac9_JaffaCakes118.exe	explorer.exe
PID 784 wrote to memory of 2464	784	3cf91b6cf1dd24a262ee65a66067dac9_JaffaCakes118.exe	explorer.exe
PID 784 wrote to memory of 2464	784	3cf91b6cf1dd24a262ee65a66067dac9_JaffaCakes118.exe	explorer.exe
PID 2464 wrote to memory of 1920	2464	explorer.exe	cmd.exe
PID 2464 wrote to memory of 1920	2464	explorer.exe	cmd.exe
PID 2464 wrote to memory of 1920	2464	explorer.exe	cmd.exe
PID 2464 wrote to memory of 1920	2464	explorer.exe	cmd.exe
PID 2464 wrote to memory of 2252	2464	explorer.exe	cmd.exe
PID 2464 wrote to memory of 2252	2464	explorer.exe	cmd.exe
PID 2464 wrote to memory of 2252	2464	explorer.exe	cmd.exe
PID 2464 wrote to memory of 2252	2464	explorer.exe	cmd.exe
PID 2464 wrote to memory of 3060	2464	explorer.exe	cmd.exe
PID 2464 wrote to memory of 3060	2464	explorer.exe	cmd.exe
PID 2464 wrote to memory of 3060	2464	explorer.exe	cmd.exe
PID 2464 wrote to memory of 3060	2464	explorer.exe	cmd.exe
PID 2464 wrote to memory of 2192	2464	explorer.exe	cmd.exe
PID 2464 wrote to memory of 2192	2464	explorer.exe	cmd.exe
PID 2464 wrote to memory of 2192	2464	explorer.exe	cmd.exe
PID 2464 wrote to memory of 2192	2464	explorer.exe	cmd.exe
PID 3060 wrote to memory of 2788	3060	cmd.exe	reg.exe
PID 3060 wrote to memory of 2788	3060	cmd.exe	reg.exe
PID 3060 wrote to memory of 2788	3060	cmd.exe	reg.exe
PID 3060 wrote to memory of 2788	3060	cmd.exe	reg.exe
PID 2252 wrote to memory of 2700	2252	cmd.exe	reg.exe
PID 2252 wrote to memory of 2700	2252	cmd.exe	reg.exe
PID 2252 wrote to memory of 2700	2252	cmd.exe	reg.exe
PID 2252 wrote to memory of 2700	2252	cmd.exe	reg.exe
PID 2192 wrote to memory of 2764	2192	cmd.exe	reg.exe
PID 2192 wrote to memory of 2764	2192	cmd.exe	reg.exe
PID 2192 wrote to memory of 2764	2192	cmd.exe	reg.exe
PID 2192 wrote to memory of 2764	2192	cmd.exe	reg.exe
PID 1920 wrote to memory of 2668	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 2668	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 2668	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 2668	1920	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\3cf91b6cf1dd24a262ee65a66067dac9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3cf91b6cf1dd24a262ee65a66067dac9_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\explorer.exe" /t REG_SZ /d "C:\Windows\SysWOW64\explorer.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\explorer.exe" /t REG_SZ /d "C:\Windows\SysWOW64\explorer.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\7Z2WW37IAO2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7Z2WW37IAO2.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\7Z2WW37IAO2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7Z2WW37IAO2.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\osdin.txt

Filesize
420KB

MD5
8c23f4e4b2cea7f3a6829f358caa29a2

SHA1
fdead950e913085753b56f022048afdb872645fa

SHA256
eb709887daad154802fdaff677d89aaabe3333683c7eb6e8963406e4bef25101

SHA512
90853b11b969ee25087e83b005043fbc7a990ffe740ec4b9fbdfd56fa1c06b23e5a0b85921485fb7084be60eca5d1bcada3b2a3816b563bb263fa63bc058e632

Download Submit
memory/784-0-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2464-9-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2464-11-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2464-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2464-24-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads