latentbot | eec58cff377da4fe37b2338f82921d19f157aa88fd7cbe547ae51e75d690121f

General

Target

7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe
Size

155KB
MD5

7b824e5d964fc615c9d499d3df4cb7fa
SHA1

ffa0e0b22ba2a76473cb07a7d2e2b8e5559a49c5
SHA256

eec58cff377da4fe37b2338f82921d19f157aa88fd7cbe547ae51e75d690121f
SHA512

4a87db8f9d0fdc9d556b9470f900328b5565fe771aee2152ce73d7aaffa4fb71da0f51d96dd3d5b51898277b04c5ce879b99dc84be57f6c0330816c11a00d8c1
SSDEEP

3072:6BQAX4A71Gx3nr5aI+xk4UytHGyqXD0n8HbB3:6zGVnr5X+bHiXgns

Score

10^/10

latentbot discovery persistence trojan

Malware Config

Extracted

Family

latentbot

C2

established.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot
Executes dropped EXE 2 IoCs

Processes:

services.exeservices.EXE

pid process

2604 services.exe
1232 services.EXE
Loads dropped DLL 3 IoCs

Processes:

7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXEservices.exe

pid process

2832 7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
2832 7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
2604 services.exe

pid	process
2604	services.exe
1232	services.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Users\\Admin\\AppData\\Roaming\\services.exe"	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE

description	ioc	process
File opened (read-only)	\??\n:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\g:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\z:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\s:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\p:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\o:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\m:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\k:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\i:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\e:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\v:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\t:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\r:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\u:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\q:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\l:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\j:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\h:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\y:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\x:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\w:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exeservices.exe

description	pid	process	target process
PID 2760 set thread context of 2832	2760	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
PID 2604 set thread context of 1232	2604	services.exe	services.EXE

Drops file in Program Files directory 64 IoCs

Processes:

7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE

description	ioc	process
File created	C:\Program Files (x86)\edonkey2000\incoming\WinRAR-3 91 Full + Keymaker.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\emule\incoming\Babylon 8 - Instant translation tool.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\limewire\shared\Microsoft Windows Home Server 2010 Build 7360.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\tesla\files\Garmin mobile xt keygen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\tesla\files\Autorun Virus Remover v2 3 1022-Lz0.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\bearshare\shared\Sony Vegas Pro 9.0 Full.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\grokster\my grokster\Setup OneCare for Windows 7.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa\my shared folder\LimeWire.Pro.v5.4.6.1.Multilingual.Retail-ZWT.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa lite\my shared folder\Xilisoft AVI MPEG Converter v5 1 26 1030 Keyg.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa lite\my shared folder\RuneScape 2010 - Newest Exploits.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\icq\shared folder\Sony Vegas Pro 9.0 Full.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\bearshare\shared\Microsoft Office Accounting Professional 2009.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\bearshare\shared\LimeWire.Pro.v5.4.6.1.Multilingual.Retail-ZWT.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\edonkey2000\incoming\facebook for dummies.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\edonkey2000\incoming\Microsoft Office Accounting Professional 2009.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa\my shared folder\Trojan Killer 2.0.6.4 Patch.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\tesla\files\Windows 2008 Server KeyGen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\morpheus\my shared folder\Sony Vegas Pro 9.0 Full.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\facebook for dummies.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\DesktopCalendar.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Xilisoft Apple TV Video Converter v5 1 26 1030 Inc.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\DiceRoller2 0.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Recover Keys v3 0 3 7-MAZE.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\icq\shared folder\Uniture Memory Booster v6 1 0 5158-MESMERiZE.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\edonkey2000\incoming\Trojan Killer 2.0.6.4 Patch.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa\my shared folder\Autorun Virus Remover v2 3 1022-Lz0.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\limewire\shared\Xilisoft Burn Pro v1 0 64 0112 Keygen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\winmx\shared\Diskeeper 2010 Pro Premier v14 0 900.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\limewire\shared\Trojan Killer 2.0.6.4 Patch.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa\my shared folder\Microsoft Windows Home Server 2010 Build 7360.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\edonkey2000\incoming\DesktopCalendar.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\emule\incoming\Microsoft Windows Home Server 2010 Build 7360.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\limewire\shared\LimeWire.Pro.v5.4.6.1.Multilingual.Retail-ZWT.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\tesla\files\WinZip PRO v12.1 + Serials.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa\my shared folder\Web Dumper 3.1.1 Keygen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\icq\shared folder\Adobe Photoshop CS4 KeyGen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\emule\incoming\paypal hack 2010.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\tesla\files\Recover Keys v3 0 3 7-MAZE.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa\my shared folder\WinZip PRO v12.1 + Serials.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa lite\my shared folder\Error Repair Professional 4 1 3 AT4RE DM999.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\bearshare\shared\LimeWire Pro.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\emule\incoming\Adobe Photoshop CS3 patch.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\emule\incoming\Microsoft Office 2010 Enterprise Corporate Edition.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\emule\incoming\Adobe Dreamweaver CS4 Keygen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\emule\incoming\RuneScape 2010 - Newest Exploits.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\tesla\files\cute dogs screensaver.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa lite\my shared folder\DesktopCalendar.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\icq\shared folder\Xilisoft Burn Pro v1 0 64 0112 Keygen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\bearshare\shared\facebook for dummies.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\edonkey2000\incoming\Xilisoft CD Ripper v1 0 47 0904 Keygen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\morpheus\my shared folder\RAR Password Recovery Magic v6 1 1 172-BEAN.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\morpheus\my shared folder\Atomix Virtual DJ v6.0.2 FINAL Professional.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\morpheus\my shared folder\YouTube Downloader all Access.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\tesla\files\Dr Web AntiVirus v5 0 10 11260 R-EAT.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Xilisoft CD Ripper v1 0 47 0904 Keygen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa\my shared folder\Atomix Virtual DJ v6.0.2 FINAL Professional.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa lite\my shared folder\Yamicsoft Windows 7 Manager v1 1 8 x64.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\bearshare\shared\Microsoft Office 2010 Enterprise Corporate Edition.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\limewire\shared\Windows 7 Toolkit v1.8 activations+full suite.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\winmx\shared\Xilisoft 3GP Video Converter v5 1 26 1231 Key.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa\my shared folder\Microsoft Office Accounting Professional 2009.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\grokster\my grokster\Windows 7 Toolkit v1.8 activations+full suite.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\bearshare\shared\MS Office 2007 Activation KeyGen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\emule\incoming\Driver Genius Professional 2009 9.0.0 Build 186.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXEservices.exeservices.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXEservices.EXE

pid	process
2832	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
2832	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
2832	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
2832	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
2832	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
2832	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
2832	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
2832	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
2832	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
2832	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
2832	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
2832	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1232	services.EXE
1232	services.EXE
1232	services.EXE
1232	services.EXE
1232	services.EXE
1232	services.EXE
1232	services.EXE
1232	services.EXE
1232	services.EXE
1232	services.EXE
1232	services.EXE
1232	services.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exeservices.exe

pid process

2760 7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe
2604 services.exe

pid	process
2760	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe
2604	services.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXEservices.exe

description	pid	process	target process
PID 2760 wrote to memory of 2832	2760	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
PID 2760 wrote to memory of 2832	2760	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
PID 2760 wrote to memory of 2832	2760	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
PID 2760 wrote to memory of 2832	2760	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
PID 2760 wrote to memory of 2832	2760	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
PID 2760 wrote to memory of 2832	2760	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
PID 2760 wrote to memory of 2832	2760	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
PID 2760 wrote to memory of 2832	2760	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
PID 2760 wrote to memory of 2832	2760	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
PID 2760 wrote to memory of 2832	2760	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
PID 2832 wrote to memory of 2604	2832	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE	services.exe
PID 2832 wrote to memory of 2604	2832	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE	services.exe
PID 2832 wrote to memory of 2604	2832	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE	services.exe
PID 2832 wrote to memory of 2604	2832	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE	services.exe
PID 2604 wrote to memory of 1232	2604	services.exe	services.EXE
PID 2604 wrote to memory of 1232	2604	services.exe	services.EXE
PID 2604 wrote to memory of 1232	2604	services.exe	services.EXE
PID 2604 wrote to memory of 1232	2604	services.exe	services.EXE
PID 2604 wrote to memory of 1232	2604	services.exe	services.EXE
PID 2604 wrote to memory of 1232	2604	services.exe	services.EXE
PID 2604 wrote to memory of 1232	2604	services.exe	services.EXE
PID 2604 wrote to memory of 1232	2604	services.exe	services.EXE
PID 2604 wrote to memory of 1232	2604	services.exe	services.EXE
PID 2604 wrote to memory of 1232	2604	services.exe	services.EXE

C:\Users\Admin\AppData\Local\Temp\7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
  C:\Users\Admin\AppData\Local\Temp\7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Roaming\services.exe
    "C:\Users\Admin\AppData\Roaming\services.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Users\Admin\AppData\Roaming\services.EXE
      C:\Users\Admin\AppData\Roaming\services.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\windump.exe

Filesize
155KB

MD5
7b824e5d964fc615c9d499d3df4cb7fa

SHA1
ffa0e0b22ba2a76473cb07a7d2e2b8e5559a49c5

SHA256
eec58cff377da4fe37b2338f82921d19f157aa88fd7cbe547ae51e75d690121f

SHA512
4a87db8f9d0fdc9d556b9470f900328b5565fe771aee2152ce73d7aaffa4fb71da0f51d96dd3d5b51898277b04c5ce879b99dc84be57f6c0330816c11a00d8c1

Download Submit
memory/1232-67-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1232-71-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1232-70-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1232-69-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1232-68-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1232-61-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1232-66-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1232-65-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1232-64-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1232-72-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1232-63-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1232-62-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1232-60-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2832-4-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2832-56-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2832-51-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2832-20-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2832-16-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2832-2-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2832-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2832-6-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2832-8-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2832-10-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2832-13-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2832-15-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads