Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
21/04/2025, 11:29
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe
-
Size
1.8MB
-
MD5
c91516f4b0fed457d45a2483f6ff663f
-
SHA1
93b103fb0a588a62d26338ef215651b5db222713
-
SHA256
0ffba74d621982cd05fcfe74276a5bbbd10590e06bb74144fabdfa585976b1a2
-
SHA512
0cf78cfe6c8744b65b485e1ca71e1916f5921a4aaa84f3f2ef2e276b58bfc6708267a46a8e00d92beb012a0857516647dc4c0dfbcba8744e46d8b247ee6c1bdc
-
SSDEEP
24576:xwrQnzBfcKIwr739w+ktnfmf936H77hoFhIqWaE5zD0GOiOJrosMpbcIeAM4dOWT:SMfnIwitQ9Kb/vVzD05imR4b5TPpZCa
Malware Config
Extracted
latentbot
yeniceriler.zapto.org
Signatures
-
Latentbot family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation standard.exe -
Executes dropped EXE 3 IoCs
pid Process 1176 standard.exe 2348 dsds.exe 4408 rundll.exe -
Loads dropped DLL 4 IoCs
pid Process 4408 rundll.exe 4408 rundll.exe 2348 dsds.exe 2348 dsds.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntldr.dll = "\"C:\\Users\\Admin\\AppData\\Roaming\\ntldr.dll \"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntldr.dll = "\"C:\\Users\\Admin\\AppData\\Roaming\\ntldr.dll \"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntldr.dll = "\"C:\\Users\\Admin\\AppData\\Roaming\\ntldr.dll \"" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language standard.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dsds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 3 IoCs
pid Process 4776 reg.exe 2264 reg.exe 4748 reg.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1176 standard.exe 1176 standard.exe 1176 standard.exe 1176 standard.exe 1176 standard.exe 1176 standard.exe 4408 rundll.exe 4408 rundll.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1176 standard.exe Token: SeIncBasePriorityPrivilege 1176 standard.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2348 dsds.exe 4408 rundll.exe 2348 dsds.exe 2348 dsds.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1508 wrote to memory of 1176 1508 JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe 88 PID 1508 wrote to memory of 1176 1508 JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe 88 PID 1508 wrote to memory of 1176 1508 JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe 88 PID 1176 wrote to memory of 2348 1176 standard.exe 89 PID 1176 wrote to memory of 2348 1176 standard.exe 89 PID 1176 wrote to memory of 2348 1176 standard.exe 89 PID 1176 wrote to memory of 908 1176 standard.exe 90 PID 1176 wrote to memory of 908 1176 standard.exe 90 PID 1176 wrote to memory of 908 1176 standard.exe 90 PID 1176 wrote to memory of 624 1176 standard.exe 91 PID 1176 wrote to memory of 624 1176 standard.exe 91 PID 1176 wrote to memory of 624 1176 standard.exe 91 PID 1176 wrote to memory of 3372 1176 standard.exe 93 PID 1176 wrote to memory of 3372 1176 standard.exe 93 PID 1176 wrote to memory of 3372 1176 standard.exe 93 PID 1176 wrote to memory of 4408 1176 standard.exe 96 PID 1176 wrote to memory of 4408 1176 standard.exe 96 PID 1176 wrote to memory of 4408 1176 standard.exe 96 PID 3372 wrote to memory of 4764 3372 cmd.exe 97 PID 3372 wrote to memory of 4764 3372 cmd.exe 97 PID 3372 wrote to memory of 4764 3372 cmd.exe 97 PID 624 wrote to memory of 4792 624 cmd.exe 99 PID 4764 wrote to memory of 4776 4764 cmd.exe 98 PID 624 wrote to memory of 4792 624 cmd.exe 99 PID 624 wrote to memory of 4792 624 cmd.exe 99 PID 4764 wrote to memory of 4776 4764 cmd.exe 98 PID 4764 wrote to memory of 4776 4764 cmd.exe 98 PID 4792 wrote to memory of 4748 4792 cmd.exe 100 PID 4792 wrote to memory of 4748 4792 cmd.exe 100 PID 4792 wrote to memory of 4748 4792 cmd.exe 100 PID 908 wrote to memory of 8 908 cmd.exe 105 PID 908 wrote to memory of 8 908 cmd.exe 105 PID 908 wrote to memory of 8 908 cmd.exe 105 PID 8 wrote to memory of 2264 8 cmd.exe 106 PID 8 wrote to memory of 2264 8 cmd.exe 106 PID 8 wrote to memory of 2264 8 cmd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\standard.exe"C:\Users\Admin\AppData\Local\Temp\standard.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Roaming\dsds.exe"C:\Users\Admin\AppData\Roaming\dsds.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2348
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syscheck.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2264
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c syscheck.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4748
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c syscheck.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4776
-
-
-
-
C:\Users\Admin\AppData\Roaming\rundll.exe"C:\Users\Admin\AppData\Roaming\rundll.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ntldr.dll "1⤵PID:2464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ntldr.dll "1⤵PID:5184
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ntldr.dll "1⤵PID:6124
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD58273deb5a080d6d61c83ea61bc0432bd
SHA14206efd74c48c13aee33f07f720a2b6bd91dce99
SHA2560728c0ba138b10eecf4a7171eeee912ec4b5b74ffbcbc60bfb5bfbd9179b83e2
SHA512bd10373c35ed1a4998c01c7a51277b857a71fe9b17617e04831cf77d3a48f39e74efca9ab3b79fe4b1104f2a4b58ed823c87581c93f7818a67124c8ccf881453
-
Filesize
152B
MD539f2d111253e3714e37ff12202e0bf12
SHA16172623d832a71b82a9c34063237f247e5bc1364
SHA2569145bfaeb4e64deb3cea8448f1f7025589456b892530d052f499bfc33325dedd
SHA512949e275fbaa7c7bc53b3de7b1ac8580ac449ae6203d0e7aba7f9a43cb75c4cf067bbfd0cc5d32a7f7f55843e90b155ba7b6bbc42e318a260667b8c62022cca08
-
Filesize
372KB
MD5093a2b6f57aceba469f3c4197a446a75
SHA1308103393607bd57e87327b32c1d4b990410290a
SHA256ddee4cf79091b1ae7b8f27ce3f73a2d27d675f882642cb2e66ce8c291f6a0296
SHA5121dd430d13c1a1bc54a47f9a6dfa31854a594c593000464e326048febd14fe6c8ce53569970c92bc19fab392a2864827966e8b07c2d702f01f319578964a85fb6
-
Filesize
185KB
MD5c9b76bea3062300dd2957be713c77ba1
SHA18c30562d91ecb2f4ada92ec927c0bbe4ab869ed1
SHA2562c017cc4fb05277095eb9be218c58e6041d985510f36678ec32bb4f74d7c493e
SHA5120cb98c144720164c525d7b23de0b23e5eb27e5461f2823932a4420983a99a81ab7860e4b200bbd40a1d3e74ed2264418957cbb511a5bc0c1d5202a84dda4b089
-
Filesize
398KB
MD5fc2a1b816f6eafdad8e16ddffb2d0e6d
SHA1ebc44b31b897ca7d6b533c15431a7920831437a1
SHA256ec9df8fb7a59dd03918a819316406a4091f0b5db7f88afee13aa4227d61eb7cd
SHA512c1f94ec71cc7805f7c3ca199edeed1a5e8254d6d0873c0e6db33ac1bf72c22db8c51a0f9b9a7502092944fa139a6beea7b377de2fd57df780999c25a1e8544b3