latentbot | eec58cff377da4fe37b2338f82921d19f157aa88fd7cbe547ae51e75d690121f

General

Target

7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe
Size

155KB
MD5

7b824e5d964fc615c9d499d3df4cb7fa
SHA1

ffa0e0b22ba2a76473cb07a7d2e2b8e5559a49c5
SHA256

eec58cff377da4fe37b2338f82921d19f157aa88fd7cbe547ae51e75d690121f
SHA512

4a87db8f9d0fdc9d556b9470f900328b5565fe771aee2152ce73d7aaffa4fb71da0f51d96dd3d5b51898277b04c5ce879b99dc84be57f6c0330816c11a00d8c1
SSDEEP

3072:6BQAX4A71Gx3nr5aI+xk4UytHGyqXD0n8HbB3:6zGVnr5X+bHiXgns

Score

10^/10

latentbot discovery persistence trojan

Malware Config

Extracted

Family

latentbot

C2

established.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot
Executes dropped EXE 2 IoCs

Processes:

services.exeservices.EXE

pid process

5008 services.exe
2988 services.EXE

pid	process
5008	services.exe
2988	services.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Users\\Admin\\AppData\\Roaming\\services.exe"	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE

description	ioc	process
File opened (read-only)	\??\q:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\n:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\e:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\z:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\t:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\u:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\g:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\o:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\m:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\l:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\k:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\j:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\v:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\r:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\w:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\s:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\p:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\i:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\h:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\y:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File opened (read-only)	\??\x:	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exeservices.exe

description	pid	process	target process
PID 1864 set thread context of 1652	1864	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
PID 5008 set thread context of 2988	5008	services.exe	services.EXE

Drops file in Program Files directory 64 IoCs

Processes:

7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE

description	ioc	process
File created	C:\Program Files (x86)\bearshare\shared\paypal hack 2010.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\morpheus\my shared folder\RAR Password Recovery Magic v6 1 1 172-BEAN.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Dr Web AntiVirus v5 0 10 11260 R-EAT.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa lite\my shared folder\Xilisoft AVI MPEG Joiner v1 0 34 1012 Keygen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\bearshare\shared\Xilisoft 3GP Video Converter v5 1 26 1231 Key.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\morpheus\my shared folder\Xilisoft 3GP Video Converter v5 1 26 1231 Key.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa\my shared folder\Trojan Killer 2.0.6.4 Patch.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa\my shared folder\YouTube Downloader all Access.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Diskeeper 2010 Pro Premier v14 0 900.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\icq\shared folder\paypal hack 2010.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\edonkey2000\incoming\Miscrosoft Office Ultimate 2007.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa\my shared folder\Xilisoft Apple TV Video Converter v5 1 26 1030 Inc.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\icq\shared folder\Microsoft Office 2010 Enterprise Corporate Edition.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\icq\shared folder\Uniture Memory Booster v6 1 0 5158-MESMERiZE.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\grokster\my grokster\Microsoft Office Accounting Professional 2009.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\bearshare\shared\Miscrosoft Office Ultimate 2007.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\bearshare\shared\Adobe Photoshop CS4 KeyGen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\bearshare\shared\MS Office 2007 Activation KeyGen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\emule\incoming\Windows 2008 Server KeyGen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa lite\my shared folder\Recover Keys v3 0 3 7-MAZE.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\emule\incoming\Adobe Photoshop CS3 patch.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\limewire\shared\paypal hack 2010.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\tesla\files\Diskeeper 2010 Pro Premier v14 0 900t Final.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\emule\incoming\office 2007 activation.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\bearshare\shared\Yamicsoft Windows 7 Manager v1 1 8 x64.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\edonkey2000\incoming\Babylon 8 - Instant translation tool.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\emule\incoming\Xilisoft CD Ripper v1 0 47 0904 Keygen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\emule\incoming\Xilisoft Apple TV Video Converter v5 1 26 1030 Inc.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\morpheus\my shared folder\Microsoft AutoCollage 2008.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\morpheus\my shared folder\DesktopCalendar.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\morpheus\my shared folder\Diskeeper 2010 Pro Premier v14 0 900t Final.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\icq\shared folder\LimeWire.Pro.v5.4.6.1.Multilingual.Retail-ZWT.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\winmx\shared\redsn0w-win 0 8.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\limewire\shared\Adobe Photoshop CS3 patch.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa lite\my shared folder\Uniture Memory Booster v6 1 0 5158-MESMERiZE.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\morpheus\my shared folder\Xilisoft Blu Ray Ripper v5 2 4 0108 Keygen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\tesla\files\Dr Web AntiVirus v5 0 10 11260 R-EAT.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\winmx\shared\WinZip PRO v12.1 + Serials.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa\my shared folder\DiceRoller2 0.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa lite\my shared folder\facebook for dummies.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\icq\shared folder\office 2007 activation.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\icq\shared folder\WinRAR-3 91 Full + Keymaker.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\grokster\my grokster\Error Repair Professional 4 1 3 AT4RE DM999.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\bearshare\shared\Sony Vegas Pro 9.0 Full.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\emule\incoming\YouTube Downloader all Access.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\winmx\shared\Adobe Dreamweaver CS4 Keygen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa\my shared folder\DesktopCalendar.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\grokster\my grokster\LimeWire Pro.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\bearshare\shared\Xilisoft Burn Pro v1 0 64 0112 Keygen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\morpheus\my shared folder\CleanMyPC Registry Cleaner v4 02-TE.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\limewire\shared\Autorun Virus Remover v2 3 1022-Lz0.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa\my shared folder\facebook for dummies.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\limewire\shared\Microsoft Windows Home Server 2010 Build 7360.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\tesla\files\redsn0w-win 0 8.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\bearshare\shared\Adobe Photoshop CS4 Extended + Keygen + Activation.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa lite k++\my shared folder\Autorun Virus Remover v2 3 1022-Lz0.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\bearshare\shared\Loaris Trojan Remover 1.2.0 Patch.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\edonkey2000\incoming\Error Repair Professional 4 1 3 AT4RE DM999.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\emule\incoming\Xilisoft Burn Pro v1 0 64 0112 Keygen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\morpheus\my shared folder\Xilisoft CD Ripper v1 0 47 0904 Keygen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\winmx\shared\Web Dumper 3.1.1 Keygen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\winmx\shared\Adobe Photoshop CS4 KeyGen.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\kazaa\my shared folder\Microsoft AutoCollage 2008.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
File created	C:\Program Files (x86)\grokster\my grokster\WinZip PRO v12.1 + Serials.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

services.EXE7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXEservices.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE

pid	process
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exeservices.exe

pid process

1864 7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe
5008 services.exe

pid	process
1864	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe
5008	services.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXEservices.exe

description	pid	process	target process
PID 1864 wrote to memory of 1652	1864	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
PID 1864 wrote to memory of 1652	1864	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
PID 1864 wrote to memory of 1652	1864	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
PID 1864 wrote to memory of 1652	1864	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
PID 1864 wrote to memory of 1652	1864	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
PID 1864 wrote to memory of 1652	1864	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
PID 1864 wrote to memory of 1652	1864	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
PID 1864 wrote to memory of 1652	1864	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
PID 1864 wrote to memory of 1652	1864	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
PID 1652 wrote to memory of 5008	1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE	services.exe
PID 1652 wrote to memory of 5008	1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE	services.exe
PID 1652 wrote to memory of 5008	1652	7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE	services.exe
PID 5008 wrote to memory of 2988	5008	services.exe	services.EXE
PID 5008 wrote to memory of 2988	5008	services.exe	services.EXE
PID 5008 wrote to memory of 2988	5008	services.exe	services.EXE
PID 5008 wrote to memory of 2988	5008	services.exe	services.EXE
PID 5008 wrote to memory of 2988	5008	services.exe	services.EXE
PID 5008 wrote to memory of 2988	5008	services.exe	services.EXE
PID 5008 wrote to memory of 2988	5008	services.exe	services.EXE
PID 5008 wrote to memory of 2988	5008	services.exe	services.EXE
PID 5008 wrote to memory of 2988	5008	services.exe	services.EXE

C:\Users\Admin\AppData\Local\Temp\7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Users\Admin\AppData\Local\Temp\7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
  C:\Users\Admin\AppData\Local\Temp\7b824e5d964fc615c9d499d3df4cb7fa_JaffaCakes118.EXE
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Roaming\services.exe
    "C:\Users\Admin\AppData\Roaming\services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Users\Admin\AppData\Roaming\services.EXE
      C:\Users\Admin\AppData\Roaming\services.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\windump.exe

Filesize
155KB

MD5
7b824e5d964fc615c9d499d3df4cb7fa

SHA1
ffa0e0b22ba2a76473cb07a7d2e2b8e5559a49c5

SHA256
eec58cff377da4fe37b2338f82921d19f157aa88fd7cbe547ae51e75d690121f

SHA512
4a87db8f9d0fdc9d556b9470f900328b5565fe771aee2152ce73d7aaffa4fb71da0f51d96dd3d5b51898277b04c5ce879b99dc84be57f6c0330816c11a00d8c1

Download Submit
memory/1652-27-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1652-4-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1652-5-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1652-9-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1652-2-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1652-24-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2988-34-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2988-38-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2988-33-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2988-23-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2988-35-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2988-36-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2988-37-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2988-32-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2988-39-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2988-40-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2988-41-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2988-42-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2988-43-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2988-44-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads