latentbot | 3a4f8430dd794e93e9f2ac368c9b6f61c93609e0e52afe292a1aa95abae99453

General

Target

JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe
Size

731KB
MD5

7988827f545203ac2ea13c652d5674a8
SHA1

27c7674a9783458a03df947db92af9f0bda59cda
SHA256

3a4f8430dd794e93e9f2ac368c9b6f61c93609e0e52afe292a1aa95abae99453
SHA512

e4875f25e566ba353381838e8fc19aec100f459691353e50f78a1e5cf0bf4324f0603cb26dc6ee634438e230b62930ea0e2935f1ed5568999d2c0e3571686e89
SSDEEP

12288:4rOq7yb4relPEb8UbxI0k9V7dTxfPzscAO3t8MYPbEum9X2cqwW8hlZaM:4rOMyE8PEbK0uVHkeubEum9XXqJsbaM

Score

10^/10

latentbot defense_evasion discovery persistence privilege_escalation trojan upx

Malware Config

Extracted

Family

latentbot

C2

hakerbolbol.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4784	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	fsdgtrds.Rummage.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\717b83676f0ab8c5935f4e7857307217.exe	gorft.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\717b83676f0ab8c5935f4e7857307217.exe	gorft.exe

Executes dropped EXE 3 IoCs

pid	Process
2660	fsdgtrds.Rummage.exe
2456	file_recovery_2.exe
4764	gorft.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\717b83676f0ab8c5935f4e7857307217 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\gorft.exe\" .."	gorft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\717b83676f0ab8c5935f4e7857307217 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\gorft.exe\" .."	gorft.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\q:	file_recovery_2.exe
File opened (read-only)	\??\a:	file_recovery_2.exe
File opened (read-only)	\??\h:	file_recovery_2.exe
File opened (read-only)	\??\k:	file_recovery_2.exe
File opened (read-only)	\??\s:	file_recovery_2.exe
File opened (read-only)	\??\x:	file_recovery_2.exe
File opened (read-only)	\??\y:	file_recovery_2.exe
File opened (read-only)	\??\z:	file_recovery_2.exe
File opened (read-only)	\??\e:	file_recovery_2.exe
File opened (read-only)	\??\j:	file_recovery_2.exe
File opened (read-only)	\??\l:	file_recovery_2.exe
File opened (read-only)	\??\m:	file_recovery_2.exe
File opened (read-only)	\??\n:	file_recovery_2.exe
File opened (read-only)	\??\r:	file_recovery_2.exe
File opened (read-only)	\??\u:	file_recovery_2.exe
File opened (read-only)	\??\b:	file_recovery_2.exe
File opened (read-only)	\??\g:	file_recovery_2.exe
File opened (read-only)	\??\i:	file_recovery_2.exe
File opened (read-only)	\??\o:	file_recovery_2.exe
File opened (read-only)	\??\p:	file_recovery_2.exe
File opened (read-only)	\??\t:	file_recovery_2.exe
File opened (read-only)	\??\v:	file_recovery_2.exe
File opened (read-only)	\??\w:	file_recovery_2.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000024232-17.dat	upx
behavioral2/memory/2456-24-0x0000000000400000-0x00000000005C5000-memory.dmp	upx
behavioral2/memory/2456-41-0x0000000000400000-0x00000000005C5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsdgtrds.Rummage.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file_recovery_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gorft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4764	gorft.exe
4764	gorft.exe
4764	gorft.exe
4764	gorft.exe
4764	gorft.exe
4764	gorft.exe
4764	gorft.exe
4764	gorft.exe
4764	gorft.exe
4764	gorft.exe
4764	gorft.exe
4764	gorft.exe
4764	gorft.exe
4764	gorft.exe
4764	gorft.exe
4764	gorft.exe
4764	gorft.exe
4764	gorft.exe
4764	gorft.exe
4764	gorft.exe
4764	gorft.exe
4764	gorft.exe
4764	gorft.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe
Token: SeDebugPrivilege	4764	gorft.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2660	2116	JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe	87
PID 2116 wrote to memory of 2660	2116	JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe	87
PID 2116 wrote to memory of 2660	2116	JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe	87
PID 2116 wrote to memory of 2456	2116	JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe	88
PID 2116 wrote to memory of 2456	2116	JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe	88
PID 2116 wrote to memory of 2456	2116	JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe	88
PID 2660 wrote to memory of 4764	2660	fsdgtrds.Rummage.exe	89
PID 2660 wrote to memory of 4764	2660	fsdgtrds.Rummage.exe	89
PID 2660 wrote to memory of 4764	2660	fsdgtrds.Rummage.exe	89
PID 4764 wrote to memory of 4784	4764	gorft.exe	90
PID 4764 wrote to memory of 4784	4764	gorft.exe	90
PID 4764 wrote to memory of 4784	4764	gorft.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7988827f545203ac2ea13c652d5674a8.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe
  "C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Local\Temp\gorft.exe
    "C:\Users\Admin\AppData\Local\Temp\gorft.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\gorft.exe" "gorft.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4784
- C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe
  "C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e653d73e45833b6c

Filesize
8B

MD5
80f583ab01e80aae24a8b5833a298602

SHA1
611396b2d1632d8d0d2828bb86fefbaf173989e0

SHA256
2691bbe79c030727918fbaf7f1f43b4eeaa8ab3852dad598758773f27af84504

SHA512
24e7b892745feb27602059062451894fc43dd3cf538bd95966f2e0b458d13e920177c40209099c494447903dba73a2efa4454b4cd26a2e79d7d840e87a015397

Download Submit
C:\Users\Admin\AppData\Local\Temp\file_recovery_2.exe

Filesize
482KB

MD5
276d5b7ca6303c28492807f4d1d92309

SHA1
68f2bf37c6952a5a5e2ee06c721a40ecac244439

SHA256
a8b210be8d7774a898df8306a4f2110d99218198fb842fdcd180c624c765f8aa

SHA512
e0388aa6700e9d1cceef3d755083f3234b2c5e542fc0a64df528d3e5e3bdebf6d45aa215bc49640677748bf04b72083096292161b6fe87b7db040d2e56292423

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsdgtrds.Rummage.exe

Filesize
52KB

MD5
96681f9a5f34f4c09405674b1e22a35e

SHA1
700ce6e277c8dfd78ac98319fecf986691297dd6

SHA256
7c5f8d2446616124bfee0b2f217194acdb3088ab0b6d31cc01a1c84fa988ec1c

SHA512
c73b4a0300dce59d22ab89d3f4e7d6b87a120ca3f3480831f309d4f01675a425b705ec362037f5aefa6dc76e6aae5060354843e2952ad5cac6877e7d803a4563

Download Submit
memory/2116-3-0x000000001C230000-0x000000001C6FE000-memory.dmp

Filesize
4.8MB

Download
memory/2116-4-0x000000001C7A0000-0x000000001C83C000-memory.dmp

Filesize
624KB

Download
memory/2116-5-0x000000001BCC0000-0x000000001BCC8000-memory.dmp

Filesize
32KB

Download
memory/2116-0-0x00007FFB7D5B0000-0x00007FFB7D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-2-0x00007FFB7D5B0000-0x00007FFB7D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-26-0x00007FFB7D5B0000-0x00007FFB7D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-1-0x00007FFB7D5B0000-0x00007FFB7D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/2456-24-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2456-28-0x00007FFB7D5B0000-0x00007FFB7D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/2456-41-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2456-42-0x00007FFB7D5B0000-0x00007FFB7D7A5000-memory.dmp

Filesize
2.0MB

Download
memory/2660-27-0x00007FFB7D5B0000-0x00007FFB7D7A5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads