General

  • Target

    da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118

  • Size

    549KB

  • Sample

    241209-tz1nbatmhx

  • MD5

    da850e482c7b7b9daa4f2dadc45465b8

  • SHA1

    a73cfb93a76081704d021c061688f5278fe70e43

  • SHA256

    b083d9975868f9db819f144c6301051a35ce490af730ca65f3b2fcfedccce962

  • SHA512

    65da3971bd9e026f7800ba0e359b108559f1548a9a13dd491a3ecfff4d7561fa76b2dbadbbc5ff7f2c6cf0f91048f0b704b0c75fa7a723c6d47bc3fcfafdbc83

  • SSDEEP

    12288:F2S7zTYrvnhMk2r6sl10yYqJOkx6FvUyMrusgfVyr7mr:0S7orak2SIOqFVyhErKr

Malware Config

Extracted

Family

latentbot

C2

snaggelpuss123.zapto.org

Targets

    • Target

      da850e482c7b7b9daa4f2dadc45465b8_JaffaCakes118

    • Size

      549KB

    • MD5

      da850e482c7b7b9daa4f2dadc45465b8

    • SHA1

      a73cfb93a76081704d021c061688f5278fe70e43

    • SHA256

      b083d9975868f9db819f144c6301051a35ce490af730ca65f3b2fcfedccce962

    • SHA512

      65da3971bd9e026f7800ba0e359b108559f1548a9a13dd491a3ecfff4d7561fa76b2dbadbbc5ff7f2c6cf0f91048f0b704b0c75fa7a723c6d47bc3fcfafdbc83

    • SSDEEP

      12288:F2S7zTYrvnhMk2r6sl10yYqJOkx6FvUyMrusgfVyr7mr:0S7orak2SIOqFVyhErKr

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

    • Latentbot family

    • Modifies firewall policy service

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks