Analysis
-
max time kernel
106s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
04-12-2024 21:38
General
-
Target
c47e756e3c153d0ddec6d27c7ede09a2_JaffaCakes118.exe
-
Size
100KB
-
MD5
c47e756e3c153d0ddec6d27c7ede09a2
-
SHA1
43805115c3ff07c8eda4bef92e57904c11a1e5ac
-
SHA256
1e28928dbba0b860e22805a1d6a40c771ce1c975c1c0a9740adcf8f5010b9be2
-
SHA512
6f4e9300c0c360409ed55a6aa988b1a90f6077c4297df047feaa2a11d8117caf444a135c9ea301d22b0fd18d500d6aaf36aaed89c29b1283d041246ada0d071c
-
SSDEEP
1536:OgEs39DdAjgNuzCmH4Z2LKuRG/YI0ehne0SqA:9EodAjxmmCmzGwSne0XA
Malware Config
Extracted
latentbot
shootiemange.zapto.org
Signatures
-
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
-
Latentbot family
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 20 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 2 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c47e756e3c153d0ddec6d27c7ede09a2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c47e756e3c153d0ddec6d27c7ede09a2_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c47e756e3c153d0ddec6d27c7ede09a2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c47e756e3c153d0ddec6d27c7ede09a2_JaffaCakes118.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svdhost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svdhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svdhost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svdhost.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5c47e756e3c153d0ddec6d27c7ede09a2
SHA143805115c3ff07c8eda4bef92e57904c11a1e5ac
SHA2561e28928dbba0b860e22805a1d6a40c771ce1c975c1c0a9740adcf8f5010b9be2
SHA5126f4e9300c0c360409ed55a6aa988b1a90f6077c4297df047feaa2a11d8117caf444a135c9ea301d22b0fd18d500d6aaf36aaed89c29b1283d041246ada0d071c
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
96KB