Malware Analysis Report

2025-04-03 10:27

Sample ID 250301-crzydawxds
Target JaffaCakes118_36146c6d28f737267d7d5d2761542490
SHA256 fd7cf79830ba3f8781da21c3ec3913002a1090aa6b9429cb09b2bee8fcaeac22
Tags
latentbot defense_evasion discovery persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd7cf79830ba3f8781da21c3ec3913002a1090aa6b9429cb09b2bee8fcaeac22

Threat Level: Known bad

The file JaffaCakes118_36146c6d28f737267d7d5d2761542490 was found to be: Known bad.

Malicious Activity Summary

latentbot defense_evasion discovery persistence privilege_escalation trojan

LatentBot

Latentbot family

Modifies Windows Firewall

Loads dropped DLL

Drops startup file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-01 02:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-01 02:19

Reported

2025-03-01 02:21

Platform

win7-20240729-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36146c6d28f737267d7d5d2761542490.exe"

Signatures

LatentBot

trojan latentbot

Latentbot family

latentbot

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecc7c8c51c0850c1ec247c7fd3602f20.exe C:\Users\Admin\AppData\Local\Temp\windows.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecc7c8c51c0850c1ec247c7fd3602f20.exe C:\Users\Admin\AppData\Local\Temp\windows.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\windows.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ecc7c8c51c0850c1ec247c7fd3602f20 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe\" .." C:\Users\Admin\AppData\Local\Temp\windows.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ecc7c8c51c0850c1ec247c7fd3602f20 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe\" .." C:\Users\Admin\AppData\Local\Temp\windows.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36146c6d28f737267d7d5d2761542490.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\windows.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\windows.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\windows.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36146c6d28f737267d7d5d2761542490.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36146c6d28f737267d7d5d2761542490.exe"

C:\Users\Admin\AppData\Local\Temp\windows.exe

"C:\Users\Admin\AppData\Local\Temp\windows.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\windows.exe" "windows.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 abdenour007.zapto.org udp

Files

memory/2268-0-0x0000000074EB1000-0x0000000074EB2000-memory.dmp

memory/2268-2-0x0000000074EB0000-0x000000007545B000-memory.dmp

memory/2268-4-0x0000000074EB0000-0x000000007545B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\windows.exe

MD5 36146c6d28f737267d7d5d2761542490
SHA1 fbcf84e52e75ef2f8e5f3dafdaaf738baf4f6d8e
SHA256 fd7cf79830ba3f8781da21c3ec3913002a1090aa6b9429cb09b2bee8fcaeac22
SHA512 cca384ba6a5a8a37eed9eecd405ce1439766b609eb2fc930e0862cb2b50c1777dd7f3131426b4bea65a5a472838610ccdf05113bb67c12744314d6187b5fec9d

memory/2268-14-0x0000000074EB0000-0x000000007545B000-memory.dmp

memory/2884-18-0x0000000074EB0000-0x000000007545B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e653d73e45833b6c

MD5 e194047d3dd08cc52f83d8ffb8f9b9f6
SHA1 9f98c1101d933db4e61d892c6f22b8ceaa233ed2
SHA256 f7fb39e6024563a05ba407b45a44c9f1114d74bb27439b9960fff1b7955efec9
SHA512 f17324220659d0d33d03e9a8eb9977a30570fa98eadeb5462c4c556540cf67e4fb47818ecb463f0e7ea3406f05b205ae11a0d4e4282633e8d373fa059a51e525

memory/2884-16-0x0000000074EB0000-0x000000007545B000-memory.dmp

memory/2884-15-0x0000000074EB0000-0x000000007545B000-memory.dmp

memory/2884-20-0x0000000074EB0000-0x000000007545B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-01 02:19

Reported

2025-03-01 02:21

Platform

win10v2004-20250217-en

Max time kernel

148s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36146c6d28f737267d7d5d2761542490.exe"

Signatures

LatentBot

trojan latentbot

Latentbot family

latentbot

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36146c6d28f737267d7d5d2761542490.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecc7c8c51c0850c1ec247c7fd3602f20.exe C:\Users\Admin\AppData\Local\Temp\windows.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecc7c8c51c0850c1ec247c7fd3602f20.exe C:\Users\Admin\AppData\Local\Temp\windows.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\windows.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ecc7c8c51c0850c1ec247c7fd3602f20 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe\" .." C:\Users\Admin\AppData\Local\Temp\windows.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ecc7c8c51c0850c1ec247c7fd3602f20 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe\" .." C:\Users\Admin\AppData\Local\Temp\windows.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36146c6d28f737267d7d5d2761542490.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\windows.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\windows.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36146c6d28f737267d7d5d2761542490.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36146c6d28f737267d7d5d2761542490.exe"

C:\Users\Admin\AppData\Local\Temp\windows.exe

"C:\Users\Admin\AppData\Local\Temp\windows.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\windows.exe" "windows.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp
US 8.8.8.8:53 abdenour007.zapto.org udp

Files

memory/1772-0-0x0000000075162000-0x0000000075163000-memory.dmp

memory/1772-1-0x0000000075160000-0x0000000075711000-memory.dmp

memory/1772-2-0x0000000075160000-0x0000000075711000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\windows.exe

MD5 36146c6d28f737267d7d5d2761542490
SHA1 fbcf84e52e75ef2f8e5f3dafdaaf738baf4f6d8e
SHA256 fd7cf79830ba3f8781da21c3ec3913002a1090aa6b9429cb09b2bee8fcaeac22
SHA512 cca384ba6a5a8a37eed9eecd405ce1439766b609eb2fc930e0862cb2b50c1777dd7f3131426b4bea65a5a472838610ccdf05113bb67c12744314d6187b5fec9d

memory/1772-17-0x0000000075160000-0x0000000075711000-memory.dmp

memory/2928-18-0x0000000075160000-0x0000000075711000-memory.dmp

memory/2928-16-0x0000000075160000-0x0000000075711000-memory.dmp

memory/2928-19-0x0000000075160000-0x0000000075711000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e653d73e45833b6c

MD5 3faa2d0358b5f4739503d1925775d056
SHA1 26cce36caca3f75a25a9aa354c53909fa0b0b61f
SHA256 b398bb31ba6d76bf2155d41f0d1540ebbc5293bda2a5ec369f206140a3a1bb8f
SHA512 a744a2affaef6664a68dfdee2d4f403f4d155197269857db63e938126247cf010fc18191896458228d417d64c5e52f483d3ae2b05336f79ffd608c52ed710b68

memory/2928-22-0x0000000075160000-0x0000000075711000-memory.dmp

memory/2928-23-0x0000000075160000-0x0000000075711000-memory.dmp