Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29-11-2024 19:13
Static task
static1
Behavioral task
behavioral1
Sample
b32887d66b27dadf480862b6cde5195f_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
b32887d66b27dadf480862b6cde5195f_JaffaCakes118.exe
-
Size
510KB
-
MD5
b32887d66b27dadf480862b6cde5195f
-
SHA1
66b90bf3e149e1b749e0712a0d2accfda3505994
-
SHA256
df132f86e249516d4dff203d957d7d4ca2fc11b5da94d2a1474dec0e1ca74832
-
SHA512
365b4fc55f02c9548a70424dd6ed2ef804a8e17d8d915cded281d64c51e300e460c4ac312d04eca56f2e40de7713058135ffb9226bb531fe18b75c6717a2c4fc
-
SSDEEP
12288:wIx2yuzSCO1MvHBct+XAZTlV2YE5ichvg:dMzSC4mApZTl4Yy3Jg
Malware Config
Extracted
latentbot
hackingmarian.zapto.org
Signatures
-
Latentbot family
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" services.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" services.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ server.exe -
resource yara_rule behavioral1/files/0x0009000000016644-60.dat aspack_v212_v242 -
Executes dropped EXE 5 IoCs
pid Process 2568 server.exe 3032 x22Cheats-crackd by Bischak344.exe 1836 upnp.exe 2836 fservice.exe 2892 services.exe -
Loads dropped DLL 6 IoCs
pid Process 2568 server.exe 2568 server.exe 2892 services.exe 2892 services.exe 2836 fservice.exe 2568 server.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ services.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\fservice.exe server.exe File opened for modification C:\Windows\SysWOW64\fservice.exe server.exe File created C:\Windows\SysWOW64\fservice.exe fservice.exe File opened for modification C:\Windows\SysWOW64\fservice.exe fservice.exe File created C:\Windows\SysWOW64\winkey.dll services.exe File created C:\Windows\SysWOW64\reginv.dll services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe -
resource yara_rule behavioral1/files/0x0008000000016c73-12.dat upx behavioral1/memory/2568-13-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/files/0x0007000000016ce7-25.dat upx behavioral1/memory/1836-33-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral1/memory/1836-50-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral1/memory/2892-58-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2836-55-0x0000000003350000-0x000000000354C000-memory.dmp upx behavioral1/memory/2836-44-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2568-62-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2836-79-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2568-81-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2892-84-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2892-85-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2892-87-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2892-89-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2892-91-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2892-93-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2892-95-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2892-97-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2892-99-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2892-101-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2892-103-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2892-105-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2892-107-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2892-109-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2892-111-0x0000000000400000-0x00000000005FC000-memory.dmp upx -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\services.exe fservice.exe File created C:\Windows\system\sservice.exe fservice.exe File opened for modification C:\Windows\system\sservice.exe fservice.exe File created C:\Windows\system\sservice.exe services.exe File opened for modification C:\Windows\system\sservice.exe services.exe File created C:\Windows\system\sservice.exe server.exe File opened for modification C:\Windows\system\sservice.exe server.exe File created C:\Windows\services.exe fservice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fservice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe 2892 services.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1724 b32887d66b27dadf480862b6cde5195f_JaffaCakes118.exe Token: SeDebugPrivilege 3032 x22Cheats-crackd by Bischak344.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2892 services.exe 2892 services.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2568 1724 b32887d66b27dadf480862b6cde5195f_JaffaCakes118.exe 30 PID 1724 wrote to memory of 2568 1724 b32887d66b27dadf480862b6cde5195f_JaffaCakes118.exe 30 PID 1724 wrote to memory of 2568 1724 b32887d66b27dadf480862b6cde5195f_JaffaCakes118.exe 30 PID 1724 wrote to memory of 2568 1724 b32887d66b27dadf480862b6cde5195f_JaffaCakes118.exe 30 PID 1724 wrote to memory of 3032 1724 b32887d66b27dadf480862b6cde5195f_JaffaCakes118.exe 31 PID 1724 wrote to memory of 3032 1724 b32887d66b27dadf480862b6cde5195f_JaffaCakes118.exe 31 PID 1724 wrote to memory of 3032 1724 b32887d66b27dadf480862b6cde5195f_JaffaCakes118.exe 31 PID 3032 wrote to memory of 1836 3032 x22Cheats-crackd by Bischak344.exe 32 PID 3032 wrote to memory of 1836 3032 x22Cheats-crackd by Bischak344.exe 32 PID 3032 wrote to memory of 1836 3032 x22Cheats-crackd by Bischak344.exe 32 PID 3032 wrote to memory of 1836 3032 x22Cheats-crackd by Bischak344.exe 32 PID 3032 wrote to memory of 2724 3032 x22Cheats-crackd by Bischak344.exe 34 PID 3032 wrote to memory of 2724 3032 x22Cheats-crackd by Bischak344.exe 34 PID 3032 wrote to memory of 2724 3032 x22Cheats-crackd by Bischak344.exe 34 PID 2568 wrote to memory of 2836 2568 server.exe 35 PID 2568 wrote to memory of 2836 2568 server.exe 35 PID 2568 wrote to memory of 2836 2568 server.exe 35 PID 2568 wrote to memory of 2836 2568 server.exe 35 PID 2836 wrote to memory of 2892 2836 fservice.exe 36 PID 2836 wrote to memory of 2892 2836 fservice.exe 36 PID 2836 wrote to memory of 2892 2836 fservice.exe 36 PID 2836 wrote to memory of 2892 2836 fservice.exe 36 PID 2892 wrote to memory of 2792 2892 services.exe 37 PID 2892 wrote to memory of 2792 2892 services.exe 37 PID 2892 wrote to memory of 2792 2892 services.exe 37 PID 2892 wrote to memory of 2792 2892 services.exe 37 PID 2892 wrote to memory of 2620 2892 services.exe 38 PID 2892 wrote to memory of 2620 2892 services.exe 38 PID 2892 wrote to memory of 2620 2892 services.exe 38 PID 2892 wrote to memory of 2620 2892 services.exe 38 PID 2620 wrote to memory of 2436 2620 NET.exe 42 PID 2620 wrote to memory of 2436 2620 NET.exe 42 PID 2620 wrote to memory of 2436 2620 NET.exe 42 PID 2620 wrote to memory of 2436 2620 NET.exe 42 PID 2792 wrote to memory of 2328 2792 NET.exe 41 PID 2792 wrote to memory of 2328 2792 NET.exe 41 PID 2792 wrote to memory of 2328 2792 NET.exe 41 PID 2792 wrote to memory of 2328 2792 NET.exe 41 PID 2568 wrote to memory of 1132 2568 server.exe 43 PID 2568 wrote to memory of 1132 2568 server.exe 43 PID 2568 wrote to memory of 1132 2568 server.exe 43 PID 2568 wrote to memory of 1132 2568 server.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b32887d66b27dadf480862b6cde5195f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b32887d66b27dadf480862b6cde5195f_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\fservice.exeC:\Windows\system32\fservice.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\services.exeC:\Windows\services.exe -XP4⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\NET.exeNET STOP srservice5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP srservice6⤵
- System Location Discovery: System Language Discovery
PID:2328
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP navapsvc5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP navapsvc6⤵
- System Location Discovery: System Language Discovery
PID:2436
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\server.exe.bat3⤵
- System Location Discovery: System Language Discovery
PID:1132
-
-
-
C:\Users\Admin\AppData\Local\Temp\x22Cheats-crackd by Bischak344.exe"C:\Users\Admin\AppData\Local\Temp\x22Cheats-crackd by Bischak344.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\upnp.exe"C:\Users\Admin\AppData\Local\Temp\upnp.exe"3⤵
- Executes dropped EXE
PID:1836
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\x22 Cheats - Cracked by Bishak233.txt3⤵PID:2724
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Privilege Escalation
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342KB
MD56b804e0902af8506af0e5b4b7334a7e8
SHA1e6c68e340e5569fd6d2bc0f26135f6d3ad607883
SHA25659e7af5f06a8dc067455a95bde9d744bde8b4c38920ace4b82aea022b4310279
SHA51268241ff7d7ec5ebd1c4eecd9fc337c9bc5fb1f75489dcffd2df87d07d48bbfa6454b13680b05620607c33262ecbbbc3d8cdcb246f599bbd3daa1fa54f01c76b7
-
Filesize
129B
MD54f73a47eadc64c971ad4a3e09cceef9b
SHA17e782f6c004bfeb885ac5e05968ff8725a7a53bb
SHA256b6f7c895d22726f59e43964ef4140ed8ee4f5b298dbafcdca2a01a40f7bf3c6c
SHA5126332bffc816601e37217ad3111bf6658e8602857d92c97599cef1605c8ccb3c6e1fac7867be835f9fd26122a7d1ec34296ecfe9ca3a57cd47117036131c3f4d1
-
Filesize
12KB
MD513804f8dc4e72ba103d5e34de895c9db
SHA103d7a0500ccb2fef3222ed1eb55f2cbedbb8b8c5
SHA256da659d8c05cfcb5f0abe167191665359123643000d12140836c28d204294ceb6
SHA5129abb98795a1b1c142c50c7c110966b4249972de5b1f40445b27d70c3127140b0ddaaada1d92297e96ffd71177b12cd87749953ffdcf6e5da7803b9f9527d7652
-
Filesize
29KB
MD5093f4a70f8ad0f357ed95f0c216e1efb
SHA1bab5799855bccc50e3bb8adcf07ccdd28fc215a1
SHA256d40937911f2049c8d8a4aaa9e862a57e5eb8bebe6897c4c372284dcf723f2042
SHA512430657b5b13dc4668e0158a61d9dbd806de96fab1063abda0108fe1e845a8bba62eaf436ae7a30ec1dc4673e52d02ace781e8223d3838288d48a1dc999968e2e
-
Filesize
36KB
MD5562e0d01d6571fa2251a1e9f54c6cc69
SHA183677ad3bc630aa6327253c7b3deffbd4a8ce905
SHA256c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6
SHA512166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea
-
Filesize
13KB
MD5b4c72da9fd1a0dcb0698b7da97daa0cd
SHA1b25a79e8ea4c723c58caab83aed6ea48de7ed759
SHA25645d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f
SHA512f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066