Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
21/04/2025, 08:09
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe
-
Size
1.3MB
-
MD5
c872b3edf73ce17ead51aaeaa802ad9e
-
SHA1
02e0ddebe07c82a787c0bf7060a1ef65b62c4712
-
SHA256
16d6fd6bec6386c9b156fa85ce981db98a976e97409f32ce9827f62d5378c76b
-
SHA512
1bb0098ddc1760378c8db5e9bc0fc3dca079b159027a4b41c4222b4005dcf413773e10a1a60aa7dc4fc3b618fb1658cbbe1d795700b920fdaaab1f28892bb1c6
-
SSDEEP
24576:KxltQg4lk46epYcmbMzABl3g/B74QKy6GH4pem9eh6058VNK6j3n:KxsagiiNV/4p/Khmn3n
Malware Config
Extracted
latentbot
birazsiradan.zapto.org
Signatures
-
Latentbot family
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4144164418-4152157973-2926181071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4144164418-4152157973-2926181071-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rundll.exe = "\"C:\\Users\\Admin\\AppData\\Local\\rundll.exe \"" reg.exe -
Executes dropped EXE 1 IoCs
pid Process 5492 rundll.exe -
Loads dropped DLL 4 IoCs
pid Process 5492 rundll.exe 5492 rundll.exe 5492 rundll.exe 5492 rundll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 6112 reg.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 5492 rundll.exe 5492 rundll.exe 5492 rundll.exe 5492 rundll.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe Token: SeIncBasePriorityPrivilege 5492 rundll.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5492 rundll.exe 5492 rundll.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 244 wrote to memory of 5492 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 78 PID 244 wrote to memory of 5492 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 78 PID 244 wrote to memory of 5492 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 78 PID 244 wrote to memory of 2208 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 79 PID 244 wrote to memory of 2208 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 79 PID 244 wrote to memory of 2208 244 JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe 79 PID 5492 wrote to memory of 3532 5492 rundll.exe 81 PID 5492 wrote to memory of 3532 5492 rundll.exe 81 PID 5492 wrote to memory of 3532 5492 rundll.exe 81 PID 2208 wrote to memory of 3500 2208 cmd.exe 83 PID 2208 wrote to memory of 3500 2208 cmd.exe 83 PID 2208 wrote to memory of 3500 2208 cmd.exe 83 PID 3500 wrote to memory of 6112 3500 cmd.exe 84 PID 3500 wrote to memory of 6112 3500 cmd.exe 84 PID 3500 wrote to memory of 6112 3500 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c872b3edf73ce17ead51aaeaa802ad9e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Users\Admin\AppData\Local\rundll.exe"C:\Users\Admin\AppData\Local\rundll.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c syscheck.bat3⤵
- System Location Discovery: System Language Discovery
PID:3532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c syscheck.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V rundll.exe /D "\"C:\Users\Admin\AppData\Local\rundll.exe \"" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V rundll.exe /D "\"C:\Users\Admin\AppData\Local\rundll.exe \"" /f4⤵
- Adds policy Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:6112
-
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170B
MD5d53c75977954601b591dba8be2f53cd1
SHA15073b31394b4bb63af3d7ec0985d3a66d209abbe
SHA256789c15d1350284cf0270658c414fa4ed204473644675cb13f9e3981d89724090
SHA512baa379fc240cc3e26155eaf71fa61fad78ba781f00615055e5227ccaf81bcde74723231d20b157ed2a78bf354b617da5d9d21a0badb11eb1bb3a87a86cf40ca9
-
Filesize
285KB
MD5fe2232f82e4beb5ae483da8e699e1a51
SHA1ed2131d0f70e709f8791bfff64d2b8a4cb658ed5
SHA2560cb462094392aeb31dd7588d95de2577efd0987315be0ce84a531c26bee3b49e
SHA512df9ab5afb94cff850dd5c4b4ba0cfcd77d4a5887ac85a60db223eba8c5d1d64467d77c6133b8e1f5ca795deae3623717ff4cc669919d9f96ef6df193187fcc0b
-
Filesize
147KB
MD54ca8f1c13f632b1168649967e6a97452
SHA19c5404d99f280a8f6349a3834c0ac167b2c2d6e6
SHA256dff25e133d2e25b2b9a713c5f69a9b59d6a3da22a172368adfbd6a6ba7f701cb
SHA51225d601b57054e29e6b77ce7b3ead18f756a0f931445d927919d4297d3d5f77cb447161ad46d9e523bb2a91566734db927eb0d06f258f9a93f02093826ee60bcb
-
Filesize
482KB
MD56ed55d1f33d1527b87fcb2f8c207c07f
SHA1aef79aadf470cf3a0e0d8f34211f7bfc7e0bc240
SHA2565fccdbe0f66f612a1c674ba28c6c788b3ea45ac7b70f5e23f3af2dbf1e33fdbe
SHA512379ed920f7b72329296cc0d84e9c6fb107726ead875765c848564e9f94dd4b3f0cd75b2a80a74249bd618f58631830e0ed0bba0ddf7f781d6d58eee6a11cfd9a