Overview

overview

10

Static

static

3

fbf9993af5...18.exe

windows7-x64

10

fbf9993af5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 14:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fbf9993af55fd6b91076fe0280b9cf88_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    fbf9993af55fd6b91076fe0280b9cf88

  • SHA1

    6215ab3eb496420ee1129c67177c376a98e62ea9

  • SHA256

    6c4f362c28bb72facbd384afffb2fafa91a0b9dae5b6f2fd8a51490e6598b756

  • SHA512

    9346e09cb01e4d1e5d7049b3a4f19c4e23828c26e599605087ebe1364124140c67e79ce1757dbb67dcd60cb1b77325967f16806253a8c6e495ff32e80fa8ca84

  • SSDEEP

    24576:uK/cRgOnmq9g61r43VHpmhg5yfenrkTf8/hytOXH2nek3zweOHc6KFvlvRdHwKV0:FcOU7m6aHpmiymQeSe2nTjweOHcl5QH

Score
10/10
latentbotdiscoverytrojan

Malware Config

Extracted

Family

latentbot

C2

metin2destek.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Latentbot family
    latentbot
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fbf9993af55fd6b91076fe0280b9cf88_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fbf9993af55fd6b91076fe0280b9cf88_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4404
    • C:\Users\Admin\AppData\Local\Temp\fbf9993af55fd6b91076fe0280b9cf88_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\fbf9993af55fd6b91076fe0280b9cf88_JaffaCakes118.exe"
      2⤵
      • Checks BIOS information in registry
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4476
      • C:\Users\Admin\AppData\Local\Temp\PUMA BOT.EXE
        "C:\Users\Admin\AppData\Local\Temp\PUMA BOT.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2780
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2980
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4940
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4076
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1336
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:644
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2532
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2464
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2940
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4884
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3408
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1544
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2876
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4496
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2792
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:5024
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\PREFIXTYPE
    Filesize

    1B

    MD5

    cfcd208495d565ef66e7dff9f98764da

    SHA1

    b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

    SHA256

    5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

    SHA512

    31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\PUMA BOT.EXE
    Filesize

    112KB

    MD5

    396752b01a46655db72d27f80664bd52

    SHA1

    ee62b2fc193a93aad7c419e33624dfd0d3721ea7

    SHA256

    29416ea859c74c4dd3e9e594aaa342897f790d4523d075548ecdb1766409caab

    SHA512

    409abab98a3a7c6bb1a5deddba397e4505685c98cf34125e7e3cd66c0a5576c8e2b6f60c1920c2bd4f8ca6477eff7d7173f4cfb984022253f19b773c54df878d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\USEMUTEX
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • memory/4404-23-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-1-0x0000000002240000-0x00000000022A0000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4404-37-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-36-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-35-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-34-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-31-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-30-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-29-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-27-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-7-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-25-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-24-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-0-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/4404-22-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-21-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-20-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-19-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-18-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-17-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-16-0x0000000003AA0000-0x0000000003AA2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4404-13-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-15-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-10-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-8-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-5-0x0000000002340000-0x0000000002341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-4-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-33-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-32-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-12-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-11-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-9-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-26-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-6-0x0000000002300000-0x0000000002301000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-3-0x0000000002310000-0x0000000002311000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-2-0x0000000002320000-0x0000000002321000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-43-0x00000000021D0000-0x00000000021D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-42-0x0000000003AC0000-0x0000000003AC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-41-0x00000000021C0000-0x00000000021C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-38-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-14-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4404-50-0x0000000002240000-0x00000000022A0000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4404-49-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/4404-28-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4476-99-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4476-111-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4476-105-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4476-104-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4476-98-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4476-97-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4476-100-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4476-51-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4476-113-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4476-103-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4476-101-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4476-46-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4476-106-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4476-107-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4476-108-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4476-109-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4476-110-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4476-47-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4476-112-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4476-102-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download