Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2024 19:13

General

  • Target

    b32887d66b27dadf480862b6cde5195f_JaffaCakes118.exe

  • Size

    510KB

  • MD5

    b32887d66b27dadf480862b6cde5195f

  • SHA1

    66b90bf3e149e1b749e0712a0d2accfda3505994

  • SHA256

    df132f86e249516d4dff203d957d7d4ca2fc11b5da94d2a1474dec0e1ca74832

  • SHA512

    365b4fc55f02c9548a70424dd6ed2ef804a8e17d8d915cded281d64c51e300e460c4ac312d04eca56f2e40de7713058135ffb9226bb531fe18b75c6717a2c4fc

  • SSDEEP

    12288:wIx2yuzSCO1MvHBct+XAZTlV2YE5ichvg:dMzSC4mApZTl4Yy3Jg

Malware Config

Extracted

Family

latentbot

C2

hackingmarian.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

  • Latentbot family
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in System32 directory 7 IoCs
  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b32887d66b27dadf480862b6cde5195f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b32887d66b27dadf480862b6cde5195f_JaffaCakes118.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Adds policy Run key to start application
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Windows\SysWOW64\fservice.exe
        C:\Windows\system32\fservice.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2836
        • C:\Windows\services.exe
          C:\Windows\services.exe -XP
          4⤵
          • Modifies WinLogon for persistence
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies WinLogon
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2892
          • C:\Windows\SysWOW64\NET.exe
            NET STOP srservice
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2792
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 STOP srservice
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2328
          • C:\Windows\SysWOW64\NET.exe
            NET STOP navapsvc
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2620
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 STOP navapsvc
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2436
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\server.exe.bat
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1132
    • C:\Users\Admin\AppData\Local\Temp\x22Cheats-crackd by Bischak344.exe
      "C:\Users\Admin\AppData\Local\Temp\x22Cheats-crackd by Bischak344.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Users\Admin\AppData\Local\Temp\upnp.exe
        "C:\Users\Admin\AppData\Local\Temp\upnp.exe"
        3⤵
        • Executes dropped EXE
        PID:1836
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\x22 Cheats - Cracked by Bishak233.txt
        3⤵
          PID:2724

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\server.exe

      Filesize

      342KB

      MD5

      6b804e0902af8506af0e5b4b7334a7e8

      SHA1

      e6c68e340e5569fd6d2bc0f26135f6d3ad607883

      SHA256

      59e7af5f06a8dc067455a95bde9d744bde8b4c38920ace4b82aea022b4310279

      SHA512

      68241ff7d7ec5ebd1c4eecd9fc337c9bc5fb1f75489dcffd2df87d07d48bbfa6454b13680b05620607c33262ecbbbc3d8cdcb246f599bbd3daa1fa54f01c76b7

    • C:\Users\Admin\AppData\Local\Temp\server.exe.bat

      Filesize

      129B

      MD5

      4f73a47eadc64c971ad4a3e09cceef9b

      SHA1

      7e782f6c004bfeb885ac5e05968ff8725a7a53bb

      SHA256

      b6f7c895d22726f59e43964ef4140ed8ee4f5b298dbafcdca2a01a40f7bf3c6c

      SHA512

      6332bffc816601e37217ad3111bf6658e8602857d92c97599cef1605c8ccb3c6e1fac7867be835f9fd26122a7d1ec34296ecfe9ca3a57cd47117036131c3f4d1

    • C:\Users\Admin\AppData\Local\Temp\upnp.exe

      Filesize

      12KB

      MD5

      13804f8dc4e72ba103d5e34de895c9db

      SHA1

      03d7a0500ccb2fef3222ed1eb55f2cbedbb8b8c5

      SHA256

      da659d8c05cfcb5f0abe167191665359123643000d12140836c28d204294ceb6

      SHA512

      9abb98795a1b1c142c50c7c110966b4249972de5b1f40445b27d70c3127140b0ddaaada1d92297e96ffd71177b12cd87749953ffdcf6e5da7803b9f9527d7652

    • C:\Users\Admin\AppData\Local\Temp\x22Cheats-crackd by Bischak344.exe

      Filesize

      29KB

      MD5

      093f4a70f8ad0f357ed95f0c216e1efb

      SHA1

      bab5799855bccc50e3bb8adcf07ccdd28fc215a1

      SHA256

      d40937911f2049c8d8a4aaa9e862a57e5eb8bebe6897c4c372284dcf723f2042

      SHA512

      430657b5b13dc4668e0158a61d9dbd806de96fab1063abda0108fe1e845a8bba62eaf436ae7a30ec1dc4673e52d02ace781e8223d3838288d48a1dc999968e2e

    • \Windows\SysWOW64\reginv.dll

      Filesize

      36KB

      MD5

      562e0d01d6571fa2251a1e9f54c6cc69

      SHA1

      83677ad3bc630aa6327253c7b3deffbd4a8ce905

      SHA256

      c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

      SHA512

      166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

    • \Windows\SysWOW64\winkey.dll

      Filesize

      13KB

      MD5

      b4c72da9fd1a0dcb0698b7da97daa0cd

      SHA1

      b25a79e8ea4c723c58caab83aed6ea48de7ed759

      SHA256

      45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f

      SHA512

      f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066

    • memory/1724-3-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

      Filesize

      9.6MB

    • memory/1724-2-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

      Filesize

      9.6MB

    • memory/1724-19-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

      Filesize

      9.6MB

    • memory/1724-1-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

      Filesize

      9.6MB

    • memory/1724-0-0x000007FEF5ACE000-0x000007FEF5ACF000-memory.dmp

      Filesize

      4KB

    • memory/1836-50-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

    • memory/1836-33-0x0000000000400000-0x000000000040D000-memory.dmp

      Filesize

      52KB

    • memory/2568-13-0x0000000000400000-0x00000000005FC000-memory.dmp

      Filesize

      2.0MB

    • memory/2568-81-0x0000000000400000-0x00000000005FC000-memory.dmp

      Filesize

      2.0MB

    • memory/2568-41-0x00000000033B0000-0x00000000035AC000-memory.dmp

      Filesize

      2.0MB

    • memory/2568-42-0x00000000033B0000-0x00000000035AC000-memory.dmp

      Filesize

      2.0MB

    • memory/2568-62-0x0000000000400000-0x00000000005FC000-memory.dmp

      Filesize

      2.0MB

    • memory/2836-79-0x0000000000400000-0x00000000005FC000-memory.dmp

      Filesize

      2.0MB

    • memory/2836-56-0x0000000003350000-0x000000000354C000-memory.dmp

      Filesize

      2.0MB

    • memory/2836-55-0x0000000003350000-0x000000000354C000-memory.dmp

      Filesize

      2.0MB

    • memory/2836-44-0x0000000000400000-0x00000000005FC000-memory.dmp

      Filesize

      2.0MB

    • memory/2892-63-0x0000000010000000-0x000000001000B000-memory.dmp

      Filesize

      44KB

    • memory/2892-91-0x0000000000400000-0x00000000005FC000-memory.dmp

      Filesize

      2.0MB

    • memory/2892-111-0x0000000000400000-0x00000000005FC000-memory.dmp

      Filesize

      2.0MB

    • memory/2892-109-0x0000000000400000-0x00000000005FC000-memory.dmp

      Filesize

      2.0MB

    • memory/2892-84-0x0000000000400000-0x00000000005FC000-memory.dmp

      Filesize

      2.0MB

    • memory/2892-86-0x0000000010000000-0x000000001000B000-memory.dmp

      Filesize

      44KB

    • memory/2892-85-0x0000000000400000-0x00000000005FC000-memory.dmp

      Filesize

      2.0MB

    • memory/2892-87-0x0000000000400000-0x00000000005FC000-memory.dmp

      Filesize

      2.0MB

    • memory/2892-89-0x0000000000400000-0x00000000005FC000-memory.dmp

      Filesize

      2.0MB

    • memory/2892-58-0x0000000000400000-0x00000000005FC000-memory.dmp

      Filesize

      2.0MB

    • memory/2892-93-0x0000000000400000-0x00000000005FC000-memory.dmp

      Filesize

      2.0MB

    • memory/2892-95-0x0000000000400000-0x00000000005FC000-memory.dmp

      Filesize

      2.0MB

    • memory/2892-97-0x0000000000400000-0x00000000005FC000-memory.dmp

      Filesize

      2.0MB

    • memory/2892-99-0x0000000000400000-0x00000000005FC000-memory.dmp

      Filesize

      2.0MB

    • memory/2892-101-0x0000000000400000-0x00000000005FC000-memory.dmp

      Filesize

      2.0MB

    • memory/2892-103-0x0000000000400000-0x00000000005FC000-memory.dmp

      Filesize

      2.0MB

    • memory/2892-105-0x0000000000400000-0x00000000005FC000-memory.dmp

      Filesize

      2.0MB

    • memory/2892-107-0x0000000000400000-0x00000000005FC000-memory.dmp

      Filesize

      2.0MB

    • memory/3032-20-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

      Filesize

      9.6MB

    • memory/3032-40-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

      Filesize

      9.6MB