Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/04/2025, 08:09

General

  • Target

    JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe

  • Size

    1.3MB

  • MD5

    c872b3edf73ce17ead51aaeaa802ad9e

  • SHA1

    02e0ddebe07c82a787c0bf7060a1ef65b62c4712

  • SHA256

    16d6fd6bec6386c9b156fa85ce981db98a976e97409f32ce9827f62d5378c76b

  • SHA512

    1bb0098ddc1760378c8db5e9bc0fc3dca079b159027a4b41c4222b4005dcf413773e10a1a60aa7dc4fc3b618fb1658cbbe1d795700b920fdaaab1f28892bb1c6

  • SSDEEP

    24576:KxltQg4lk46epYcmbMzABl3g/B74QKy6GH4pem9eh6058VNK6j3n:KxsagiiNV/4p/Khmn3n

Malware Config

Extracted

Family

latentbot

C2

birazsiradan.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

  • Latentbot family
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3988
    • C:\Users\Admin\AppData\Local\rundll.exe
      "C:\Users\Admin\AppData\Local\rundll.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:636
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c syscheck.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5400
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V rundll.exe /D "\"C:\Users\Admin\AppData\Local\rundll.exe \"" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:228
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V rundll.exe /D "\"C:\Users\Admin\AppData\Local\rundll.exe \"" /f
            5⤵
            • Adds policy Run key to start application
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:216
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c syscheck.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V rundll.exe /D "\"C:\Users\Admin\AppData\Local\rundll.exe \"" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1548
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V rundll.exe /D "\"C:\Users\Admin\AppData\Local\rundll.exe \"" /f
          4⤵
          • Adds policy Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2936

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\syscheck.bat

    Filesize

    170B

    MD5

    d53c75977954601b591dba8be2f53cd1

    SHA1

    5073b31394b4bb63af3d7ec0985d3a66d209abbe

    SHA256

    789c15d1350284cf0270658c414fa4ed204473644675cb13f9e3981d89724090

    SHA512

    baa379fc240cc3e26155eaf71fa61fad78ba781f00615055e5227ccaf81bcde74723231d20b157ed2a78bf354b617da5d9d21a0badb11eb1bb3a87a86cf40ca9

  • C:\Users\Admin\AppData\Local\ntdata.dll

    Filesize

    285KB

    MD5

    fe2232f82e4beb5ae483da8e699e1a51

    SHA1

    ed2131d0f70e709f8791bfff64d2b8a4cb658ed5

    SHA256

    0cb462094392aeb31dd7588d95de2577efd0987315be0ce84a531c26bee3b49e

    SHA512

    df9ab5afb94cff850dd5c4b4ba0cfcd77d4a5887ac85a60db223eba8c5d1d64467d77c6133b8e1f5ca795deae3623717ff4cc669919d9f96ef6df193187fcc0b

  • C:\Users\Admin\AppData\Local\ntldr.dll

    Filesize

    147KB

    MD5

    4ca8f1c13f632b1168649967e6a97452

    SHA1

    9c5404d99f280a8f6349a3834c0ac167b2c2d6e6

    SHA256

    dff25e133d2e25b2b9a713c5f69a9b59d6a3da22a172368adfbd6a6ba7f701cb

    SHA512

    25d601b57054e29e6b77ce7b3ead18f756a0f931445d927919d4297d3d5f77cb447161ad46d9e523bb2a91566734db927eb0d06f258f9a93f02093826ee60bcb

  • C:\Users\Admin\AppData\Local\rundll.exe

    Filesize

    482KB

    MD5

    6ed55d1f33d1527b87fcb2f8c207c07f

    SHA1

    aef79aadf470cf3a0e0d8f34211f7bfc7e0bc240

    SHA256

    5fccdbe0f66f612a1c674ba28c6c788b3ea45ac7b70f5e23f3af2dbf1e33fdbe

    SHA512

    379ed920f7b72329296cc0d84e9c6fb107726ead875765c848564e9f94dd4b3f0cd75b2a80a74249bd618f58631830e0ed0bba0ddf7f781d6d58eee6a11cfd9a

  • memory/636-30-0x0000000002260000-0x0000000002261000-memory.dmp

    Filesize

    4KB

  • memory/636-16-0x0000000000A40000-0x0000000000A8C000-memory.dmp

    Filesize

    304KB

  • memory/636-21-0x00000000022C0000-0x00000000022E9000-memory.dmp

    Filesize

    164KB

  • memory/636-17-0x0000000002260000-0x0000000002261000-memory.dmp

    Filesize

    4KB

  • memory/636-28-0x0000000000A40000-0x0000000000A8C000-memory.dmp

    Filesize

    304KB

  • memory/636-29-0x00000000022C0000-0x00000000022E9000-memory.dmp

    Filesize

    164KB

  • memory/636-27-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/636-31-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/3988-26-0x0000000000400000-0x000000000055B000-memory.dmp

    Filesize

    1.4MB

  • memory/3988-0-0x00000000006F0000-0x00000000006F1000-memory.dmp

    Filesize

    4KB