latentbot | c9f50f5cecae36801a6af58c4a963677ac841bd906c9610c81a9459aa4fea12a

General

Target

fda26ab58b66096bdd8f8e1cb79569c7_JaffaCakes118.exe
Size

1.9MB
MD5

fda26ab58b66096bdd8f8e1cb79569c7
SHA1

d581aa899a4379b39eabd7101c1c5dbfc2c20e75
SHA256

c9f50f5cecae36801a6af58c4a963677ac841bd906c9610c81a9459aa4fea12a
SHA512

47e0928bc7cbbf6b06e8b6a7e6167005cda7303d04e600f015fe8c4282202b123726c1fbc4b856a55eceed6d12b02a72b12f31bce3f0956e40bcdf2e97a4d90d
SSDEEP

49152:Nn9GKSIFhfZRN9pEtAfzrPi37NzHDA6Y0dsfofPB:XnPN9eczrPi37NzHDA6Y0dsfox

Score

10^/10

latentbot discovery persistence trojan

Malware Config

Extracted

Family

latentbot

C2

yeniceriler.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RUNDLL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fda26ab58b66096bdd8f8e1cb79569c7_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3504	RUNDLL.EXE
1256	UNINS000.EXE

Loads dropped DLL 4 IoCs

pid	Process
3504	RUNDLL.EXE
3504	RUNDLL.EXE
1256	UNINS000.EXE
1256	UNINS000.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll = "\"C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe \""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fda26ab58b66096bdd8f8e1cb79569c7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RUNDLL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UNINS000.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2076	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1016	fda26ab58b66096bdd8f8e1cb79569c7_JaffaCakes118.exe
1016	fda26ab58b66096bdd8f8e1cb79569c7_JaffaCakes118.exe
3504	RUNDLL.EXE
3504	RUNDLL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3504	RUNDLL.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 3504	1016	fda26ab58b66096bdd8f8e1cb79569c7_JaffaCakes118.exe	82
PID 1016 wrote to memory of 3504	1016	fda26ab58b66096bdd8f8e1cb79569c7_JaffaCakes118.exe	82
PID 1016 wrote to memory of 3504	1016	fda26ab58b66096bdd8f8e1cb79569c7_JaffaCakes118.exe	82
PID 1016 wrote to memory of 1256	1016	fda26ab58b66096bdd8f8e1cb79569c7_JaffaCakes118.exe	83
PID 1016 wrote to memory of 1256	1016	fda26ab58b66096bdd8f8e1cb79569c7_JaffaCakes118.exe	83
PID 1016 wrote to memory of 1256	1016	fda26ab58b66096bdd8f8e1cb79569c7_JaffaCakes118.exe	83
PID 3504 wrote to memory of 224	3504	RUNDLL.EXE	84
PID 3504 wrote to memory of 224	3504	RUNDLL.EXE	84
PID 3504 wrote to memory of 224	3504	RUNDLL.EXE	84
PID 224 wrote to memory of 4704	224	cmd.exe	86
PID 224 wrote to memory of 4704	224	cmd.exe	86
PID 224 wrote to memory of 4704	224	cmd.exe	86
PID 4704 wrote to memory of 2076	4704	cmd.exe	87
PID 4704 wrote to memory of 2076	4704	cmd.exe	87
PID 4704 wrote to memory of 2076	4704	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\fda26ab58b66096bdd8f8e1cb79569c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fda26ab58b66096bdd8f8e1cb79569c7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Roaming\RUNDLL.EXE
  "C:\Users\Admin\AppData\Roaming\RUNDLL.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4704
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2076
- C:\Users\Admin\AppData\Roaming\UNINS000.EXE
  "C:\Users\Admin\AppData\Roaming\UNINS000.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
145B

MD5
6b8393408a3f2df19ff1e68a4f720729

SHA1
03cbc980dd47a33bdfa18be80cbd3efdbbaf95c6

SHA256
623fecae412449f60ffd8f38862e73504124afb0754952a45103daff0de5a7c9

SHA512
235e3c1f0074282c8cd8d6d9b6dc0c71ae591f5ca6a2f2248f832359a1a452cfce26b5f80fddc5acd5aae811630441b640212b9b7a885f2d69e67813d8d846ca

Download Submit
C:\Users\Admin\AppData\Roaming\ntldr.dll

Filesize
495KB

MD5
55b218cafac2281a0d3ba330e8c4930b

SHA1
b145044d120088be49f1c5d378b86560e69b1eb3

SHA256
72d99aa9b9f1f3c675c185fe983e303afecf4e8971e2e83d41b062c3588866a4

SHA512
f106a6950f8ce1f432a7fb15051c8dd787b68b3151739d58aecc5ed69500dfb9c695a6d203e0f2d2746bc83074243dc835275a24353bdc0f64917cc38b437206

Download Submit
C:\Users\Admin\AppData\Roaming\rundll.exe

Filesize
512KB

MD5
bc135565b79d80459045107690f8d840

SHA1
e5daed1f571719a01ac6bae7c09044c0751492b5

SHA256
dec0d5991ccd586dc1c4840b667643c92a93a8c0f2c68d84d32c140e1785c3e4

SHA512
1a91089a5661ae54b40323021fea7e941e1a7b3894b5ecda3d3fda7fc4320247ef258688970edf3192a3a0d12ec8881e5795fd8b7bf08404191691b727784f03

Download Submit
C:\Users\Admin\AppData\Roaming\unins000.exe

Filesize
679KB

MD5
0d44ba4db9a8f05b293ea264075b31dd

SHA1
e894fcf4c0c3718021eb8d72e0d34c7d9b7cfd0c

SHA256
aaae5d9d6783e9248919b1ad7b5f46b2b545e7d3faa59c864c485b61f1ad0973

SHA512
21126a90a24ffc494f97eb34c9d2139b052dd586638618bda9d2c296c4844a6e7b1cb3e0f84315ae3f1b5c0cfe0d39c8f60d9a1fcc88c7167e69746da9cba776

Download Submit
memory/1016-24-0x0000000000400000-0x00000000005F2000-memory.dmp

Filesize
1.9MB

Download
memory/1256-34-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1256-30-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1256-33-0x0000000005C00000-0x0000000005C82000-memory.dmp

Filesize
520KB

Download
memory/1256-35-0x0000000005C00000-0x0000000005C82000-memory.dmp

Filesize
520KB

Download
memory/3504-15-0x0000000000750000-0x00000000007D2000-memory.dmp

Filesize
520KB

Download
memory/3504-26-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/3504-36-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3504-37-0x0000000000750000-0x00000000007D2000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads