Analysis

  • max time kernel
    141s
  • max time network
    143s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21/04/2025, 08:09

General

  • Target

    JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe

  • Size

    1.3MB

  • MD5

    c872b3edf73ce17ead51aaeaa802ad9e

  • SHA1

    02e0ddebe07c82a787c0bf7060a1ef65b62c4712

  • SHA256

    16d6fd6bec6386c9b156fa85ce981db98a976e97409f32ce9827f62d5378c76b

  • SHA512

    1bb0098ddc1760378c8db5e9bc0fc3dca079b159027a4b41c4222b4005dcf413773e10a1a60aa7dc4fc3b618fb1658cbbe1d795700b920fdaaab1f28892bb1c6

  • SSDEEP

    24576:KxltQg4lk46epYcmbMzABl3g/B74QKy6GH4pem9eh6058VNK6j3n:KxsagiiNV/4p/Khmn3n

Malware Config

Extracted

Family

latentbot

C2

birazsiradan.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

  • Latentbot family
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:244
    • C:\Users\Admin\AppData\Local\rundll.exe
      "C:\Users\Admin\AppData\Local\rundll.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5492
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c syscheck.bat
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3532
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c syscheck.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V rundll.exe /D "\"C:\Users\Admin\AppData\Local\rundll.exe \"" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3500
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V rundll.exe /D "\"C:\Users\Admin\AppData\Local\rundll.exe \"" /f
          4⤵
          • Adds policy Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:6112

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\syscheck.bat

    Filesize

    170B

    MD5

    d53c75977954601b591dba8be2f53cd1

    SHA1

    5073b31394b4bb63af3d7ec0985d3a66d209abbe

    SHA256

    789c15d1350284cf0270658c414fa4ed204473644675cb13f9e3981d89724090

    SHA512

    baa379fc240cc3e26155eaf71fa61fad78ba781f00615055e5227ccaf81bcde74723231d20b157ed2a78bf354b617da5d9d21a0badb11eb1bb3a87a86cf40ca9

  • C:\Users\Admin\AppData\Local\ntdata.dll

    Filesize

    285KB

    MD5

    fe2232f82e4beb5ae483da8e699e1a51

    SHA1

    ed2131d0f70e709f8791bfff64d2b8a4cb658ed5

    SHA256

    0cb462094392aeb31dd7588d95de2577efd0987315be0ce84a531c26bee3b49e

    SHA512

    df9ab5afb94cff850dd5c4b4ba0cfcd77d4a5887ac85a60db223eba8c5d1d64467d77c6133b8e1f5ca795deae3623717ff4cc669919d9f96ef6df193187fcc0b

  • C:\Users\Admin\AppData\Local\ntldr.dll

    Filesize

    147KB

    MD5

    4ca8f1c13f632b1168649967e6a97452

    SHA1

    9c5404d99f280a8f6349a3834c0ac167b2c2d6e6

    SHA256

    dff25e133d2e25b2b9a713c5f69a9b59d6a3da22a172368adfbd6a6ba7f701cb

    SHA512

    25d601b57054e29e6b77ce7b3ead18f756a0f931445d927919d4297d3d5f77cb447161ad46d9e523bb2a91566734db927eb0d06f258f9a93f02093826ee60bcb

  • C:\Users\Admin\AppData\Local\rundll.exe

    Filesize

    482KB

    MD5

    6ed55d1f33d1527b87fcb2f8c207c07f

    SHA1

    aef79aadf470cf3a0e0d8f34211f7bfc7e0bc240

    SHA256

    5fccdbe0f66f612a1c674ba28c6c788b3ea45ac7b70f5e23f3af2dbf1e33fdbe

    SHA512

    379ed920f7b72329296cc0d84e9c6fb107726ead875765c848564e9f94dd4b3f0cd75b2a80a74249bd618f58631830e0ed0bba0ddf7f781d6d58eee6a11cfd9a

  • memory/244-0-0x00000000022A0000-0x00000000022A1000-memory.dmp

    Filesize

    4KB

  • memory/244-26-0x0000000000400000-0x000000000055B000-memory.dmp

    Filesize

    1.4MB

  • memory/5492-17-0x0000000002230000-0x0000000002231000-memory.dmp

    Filesize

    4KB

  • memory/5492-21-0x0000000002480000-0x00000000024A9000-memory.dmp

    Filesize

    164KB

  • memory/5492-16-0x00000000009E0000-0x0000000000A2C000-memory.dmp

    Filesize

    304KB

  • memory/5492-27-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/5492-29-0x0000000002480000-0x00000000024A9000-memory.dmp

    Filesize

    164KB

  • memory/5492-30-0x0000000002230000-0x0000000002231000-memory.dmp

    Filesize

    4KB

  • memory/5492-28-0x00000000009E0000-0x0000000000A2C000-memory.dmp

    Filesize

    304KB

  • memory/5492-31-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB