latentbot | e8da0bd688256c7e5c300cad84a041c09ff6f26ff7a5be28ebabb3146a06ddcb

General

Target

JaffaCakes118_8c70020a29bc1a430f48a15f5c780985.exe
Size

704KB
MD5

8c70020a29bc1a430f48a15f5c780985
SHA1

dd318efaa5f36bbdecf9cf29e55d74c1f81bf5e0
SHA256

e8da0bd688256c7e5c300cad84a041c09ff6f26ff7a5be28ebabb3146a06ddcb
SHA512

37346db43ea2fec81ec810cd09a1f74f823a1fe5d9f5e98bf67788511b7623420fb998ca9f8c586f6b9b93d5c53d5b4651197f23994602903f3e74566f343c0d
SSDEEP

12288:V4zTkLn8a0gC+khD5YMlLKv3cLXsUp8sQ3crW0/rRcWSTQeSC1j:VXntiBCMlYsLHpBQ3+/rtSc1C

Score

10^/10

latentbot xtremerat discovery persistence rat spyware trojan upx

Malware Config

Extracted

Family

xtremerat

C2

thuthuatgame.zapto.org

Extracted

Family

latentbot

C2

thuthuatgame.zapto.org

Signatures

Detect XtremeRAT payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000800000002429d-15.dat	family_xtremerat
behavioral2/memory/4952-26-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/5328-27-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4952-30-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	SERVER.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\Server.exe"	SERVER.EXE

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	SERVER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	SERVER.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\InstallDir\\Server.exe"	SERVER.EXE
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	SERVER.EXE

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	SERVER.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	SERVER.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8c70020a29bc1a430f48a15f5c780985.exe

Executes dropped EXE 2 IoCs

pid	Process
4872	DISS AU VIP BY AC QUY DO.EXE
5328	SERVER.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	SERVER.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	SERVER.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\InstallDir\\Server.exe"	SERVER.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	SERVER.EXE

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000021e27-4.dat	upx
behavioral2/memory/4872-16-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral2/memory/4872-28-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral2/memory/4872-31-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral2/memory/4872-32-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral2/memory/4872-33-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral2/memory/4872-34-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral2/memory/4872-35-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral2/memory/4872-36-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral2/memory/4872-37-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral2/memory/4872-38-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral2/memory/4872-39-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral2/memory/4872-40-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral2/memory/4872-41-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral2/memory/4872-42-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral2/memory/4872-43-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral2/memory/4872-44-0x0000000000400000-0x0000000000597000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\Server.exe	SERVER.EXE
File created	C:\Windows\InstallDir\Server.exe	SERVER.EXE
File opened for modification	C:\Windows\InstallDir\	SERVER.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8c70020a29bc1a430f48a15f5c780985.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DISS AU VIP BY AC QUY DO.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4872	DISS AU VIP BY AC QUY DO.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2488	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2488	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4952	explorer.exe
4872	DISS AU VIP BY AC QUY DO.EXE
4872	DISS AU VIP BY AC QUY DO.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 4872	2360	JaffaCakes118_8c70020a29bc1a430f48a15f5c780985.exe	85
PID 2360 wrote to memory of 4872	2360	JaffaCakes118_8c70020a29bc1a430f48a15f5c780985.exe	85
PID 2360 wrote to memory of 4872	2360	JaffaCakes118_8c70020a29bc1a430f48a15f5c780985.exe	85
PID 2360 wrote to memory of 5328	2360	JaffaCakes118_8c70020a29bc1a430f48a15f5c780985.exe	87
PID 2360 wrote to memory of 5328	2360	JaffaCakes118_8c70020a29bc1a430f48a15f5c780985.exe	87
PID 2360 wrote to memory of 5328	2360	JaffaCakes118_8c70020a29bc1a430f48a15f5c780985.exe	87
PID 5328 wrote to memory of 4936	5328	SERVER.EXE	95
PID 5328 wrote to memory of 4936	5328	SERVER.EXE	95
PID 5328 wrote to memory of 4952	5328	SERVER.EXE	96
PID 5328 wrote to memory of 4952	5328	SERVER.EXE	96
PID 5328 wrote to memory of 4952	5328	SERVER.EXE	96
PID 5328 wrote to memory of 4952	5328	SERVER.EXE	96

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c70020a29bc1a430f48a15f5c780985.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c70020a29bc1a430f48a15f5c780985.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\DISS AU VIP BY AC QUY DO.EXE
  "C:\Users\Admin\AppData\Local\Temp\DISS AU VIP BY AC QUY DO.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4872
- C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
  "C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4952

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b0 0x3d0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

4

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

4

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DISS AU VIP BY AC QUY DO.EXE

Filesize
602KB

MD5
a64a2406a7e1f964a6f92169777b10f6

SHA1
d38491f831a4808091ea9bd556ddadd216262b1c

SHA256
cb2df4cb0ac7114de2b4f2860d78ea15a6a29ccb599602fa230d0cdd05edcf48

SHA512
8dba9277ba8b7aac5c15a7c977fa617c8e8982cfe123216eb4957491cdd808d92238fcd05146891d315a5471689600e0f069e015762811d5ee3aa993466338b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVER.EXE

Filesize
45KB

MD5
3dd24ffc2761b7eb396766f587249292

SHA1
4a6b6e574503ecd595c1840322fe4011b411d9cc

SHA256
8cc2a3f378194e9e6ab730f466a178d1a35cfd6af3897f08b7af8359be03a273

SHA512
4ad1e2683f0c6a449496e7b9cc31c897802fc37f58a39e69010fa3d4a8637067a933908f52a8742cd6c5277365ec941fceecc3972a9c001bb7059eb47762b2b7

Download Submit
memory/4872-34-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4872-35-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4872-44-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4872-28-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4872-43-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4872-31-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4872-32-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4872-33-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4872-16-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4872-42-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4872-36-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4872-37-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4872-38-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4872-39-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4872-40-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4872-41-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4952-26-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/4952-30-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/5328-27-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads