Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
21/04/2025, 08:09
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe
-
Size
1.3MB
-
MD5
c872b3edf73ce17ead51aaeaa802ad9e
-
SHA1
02e0ddebe07c82a787c0bf7060a1ef65b62c4712
-
SHA256
16d6fd6bec6386c9b156fa85ce981db98a976e97409f32ce9827f62d5378c76b
-
SHA512
1bb0098ddc1760378c8db5e9bc0fc3dca079b159027a4b41c4222b4005dcf413773e10a1a60aa7dc4fc3b618fb1658cbbe1d795700b920fdaaab1f28892bb1c6
-
SSDEEP
24576:KxltQg4lk46epYcmbMzABl3g/B74QKy6GH4pem9eh6058VNK6j3n:KxsagiiNV/4p/Khmn3n
Malware Config
Extracted
latentbot
birazsiradan.zapto.org
Signatures
-
Latentbot family
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rundll.exe = "\"C:\\Users\\Admin\\AppData\\Local\\rundll.exe \"" reg.exe Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rundll.exe = "\"C:\\Users\\Admin\\AppData\\Local\\rundll.exe \"" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe -
Executes dropped EXE 1 IoCs
pid Process 636 rundll.exe -
Loads dropped DLL 4 IoCs
pid Process 636 rundll.exe 636 rundll.exe 636 rundll.exe 636 rundll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 216 reg.exe 2936 reg.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 636 rundll.exe 636 rundll.exe 636 rundll.exe 636 rundll.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe Token: SeIncBasePriorityPrivilege 636 rundll.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 636 rundll.exe 636 rundll.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3988 wrote to memory of 636 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 88 PID 3988 wrote to memory of 636 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 88 PID 3988 wrote to memory of 636 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 88 PID 3988 wrote to memory of 3052 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 89 PID 3988 wrote to memory of 3052 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 89 PID 3988 wrote to memory of 3052 3988 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 89 PID 636 wrote to memory of 5400 636 rundll.exe 91 PID 636 wrote to memory of 5400 636 rundll.exe 91 PID 636 wrote to memory of 5400 636 rundll.exe 91 PID 3052 wrote to memory of 1548 3052 cmd.exe 93 PID 3052 wrote to memory of 1548 3052 cmd.exe 93 PID 3052 wrote to memory of 1548 3052 cmd.exe 93 PID 1548 wrote to memory of 2936 1548 cmd.exe 94 PID 1548 wrote to memory of 2936 1548 cmd.exe 94 PID 1548 wrote to memory of 2936 1548 cmd.exe 94 PID 5400 wrote to memory of 228 5400 cmd.exe 95 PID 5400 wrote to memory of 228 5400 cmd.exe 95 PID 5400 wrote to memory of 228 5400 cmd.exe 95 PID 228 wrote to memory of 216 228 cmd.exe 96 PID 228 wrote to memory of 216 228 cmd.exe 96 PID 228 wrote to memory of 216 228 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Users\Admin\AppData\Local\rundll.exe"C:\Users\Admin\AppData\Local\rundll.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c syscheck.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5400 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V rundll.exe /D "\"C:\Users\Admin\AppData\Local\rundll.exe \"" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V rundll.exe /D "\"C:\Users\Admin\AppData\Local\rundll.exe \"" /f5⤵
- Adds policy Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:216
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c syscheck.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V rundll.exe /D "\"C:\Users\Admin\AppData\Local\rundll.exe \"" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V rundll.exe /D "\"C:\Users\Admin\AppData\Local\rundll.exe \"" /f4⤵
- Adds policy Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2936
-
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170B
MD5d53c75977954601b591dba8be2f53cd1
SHA15073b31394b4bb63af3d7ec0985d3a66d209abbe
SHA256789c15d1350284cf0270658c414fa4ed204473644675cb13f9e3981d89724090
SHA512baa379fc240cc3e26155eaf71fa61fad78ba781f00615055e5227ccaf81bcde74723231d20b157ed2a78bf354b617da5d9d21a0badb11eb1bb3a87a86cf40ca9
-
Filesize
285KB
MD5fe2232f82e4beb5ae483da8e699e1a51
SHA1ed2131d0f70e709f8791bfff64d2b8a4cb658ed5
SHA2560cb462094392aeb31dd7588d95de2577efd0987315be0ce84a531c26bee3b49e
SHA512df9ab5afb94cff850dd5c4b4ba0cfcd77d4a5887ac85a60db223eba8c5d1d64467d77c6133b8e1f5ca795deae3623717ff4cc669919d9f96ef6df193187fcc0b
-
Filesize
147KB
MD54ca8f1c13f632b1168649967e6a97452
SHA19c5404d99f280a8f6349a3834c0ac167b2c2d6e6
SHA256dff25e133d2e25b2b9a713c5f69a9b59d6a3da22a172368adfbd6a6ba7f701cb
SHA51225d601b57054e29e6b77ce7b3ead18f756a0f931445d927919d4297d3d5f77cb447161ad46d9e523bb2a91566734db927eb0d06f258f9a93f02093826ee60bcb
-
Filesize
482KB
MD56ed55d1f33d1527b87fcb2f8c207c07f
SHA1aef79aadf470cf3a0e0d8f34211f7bfc7e0bc240
SHA2565fccdbe0f66f612a1c674ba28c6c788b3ea45ac7b70f5e23f3af2dbf1e33fdbe
SHA512379ed920f7b72329296cc0d84e9c6fb107726ead875765c848564e9f94dd4b3f0cd75b2a80a74249bd618f58631830e0ed0bba0ddf7f781d6d58eee6a11cfd9a