Analysis

  • max time kernel
    142s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/04/2025, 11:29

General

  • Target

    JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe

  • Size

    1.8MB

  • MD5

    c91516f4b0fed457d45a2483f6ff663f

  • SHA1

    93b103fb0a588a62d26338ef215651b5db222713

  • SHA256

    0ffba74d621982cd05fcfe74276a5bbbd10590e06bb74144fabdfa585976b1a2

  • SHA512

    0cf78cfe6c8744b65b485e1ca71e1916f5921a4aaa84f3f2ef2e276b58bfc6708267a46a8e00d92beb012a0857516647dc4c0dfbcba8744e46d8b247ee6c1bdc

  • SSDEEP

    24576:xwrQnzBfcKIwr739w+ktnfmf936H77hoFhIqWaE5zD0GOiOJrosMpbcIeAM4dOWT:SMfnIwitQ9Kb/vVzD05imR4b5TPpZCa

Malware Config

Extracted

Family

latentbot

C2

yeniceriler.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

  • Latentbot family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Users\Admin\AppData\Local\Temp\standard.exe
      "C:\Users\Admin\AppData\Local\Temp\standard.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Users\Admin\AppData\Roaming\dsds.exe
        "C:\Users\Admin\AppData\Roaming\dsds.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2348
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syscheck.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:908
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:8
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2264
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c syscheck.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:624
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4792
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:4748
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c syscheck.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3372
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4764
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:4776
      • C:\Users\Admin\AppData\Roaming\rundll.exe
        "C:\Users\Admin\AppData\Roaming\rundll.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4408
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ntldr.dll "
    1⤵
      PID:2464
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ntldr.dll "
      1⤵
        PID:5184
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ntldr.dll "
        1⤵
          PID:6124

        Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\standard.exe

          Filesize

          1.4MB

          MD5

          8273deb5a080d6d61c83ea61bc0432bd

          SHA1

          4206efd74c48c13aee33f07f720a2b6bd91dce99

          SHA256

          0728c0ba138b10eecf4a7171eeee912ec4b5b74ffbcbc60bfb5bfbd9179b83e2

          SHA512

          bd10373c35ed1a4998c01c7a51277b857a71fe9b17617e04831cf77d3a48f39e74efca9ab3b79fe4b1104f2a4b58ed823c87581c93f7818a67124c8ccf881453

        • C:\Users\Admin\AppData\Local\Temp\syscheck.bat

          Filesize

          152B

          MD5

          39f2d111253e3714e37ff12202e0bf12

          SHA1

          6172623d832a71b82a9c34063237f247e5bc1364

          SHA256

          9145bfaeb4e64deb3cea8448f1f7025589456b892530d052f499bfc33325dedd

          SHA512

          949e275fbaa7c7bc53b3de7b1ac8580ac449ae6203d0e7aba7f9a43cb75c4cf067bbfd0cc5d32a7f7f55843e90b155ba7b6bbc42e318a260667b8c62022cca08

        • C:\Users\Admin\AppData\Roaming\dsds.exe

          Filesize

          372KB

          MD5

          093a2b6f57aceba469f3c4197a446a75

          SHA1

          308103393607bd57e87327b32c1d4b990410290a

          SHA256

          ddee4cf79091b1ae7b8f27ce3f73a2d27d675f882642cb2e66ce8c291f6a0296

          SHA512

          1dd430d13c1a1bc54a47f9a6dfa31854a594c593000464e326048febd14fe6c8ce53569970c92bc19fab392a2864827966e8b07c2d702f01f319578964a85fb6

        • C:\Users\Admin\AppData\Roaming\ntldr.dll

          Filesize

          185KB

          MD5

          c9b76bea3062300dd2957be713c77ba1

          SHA1

          8c30562d91ecb2f4ada92ec927c0bbe4ab869ed1

          SHA256

          2c017cc4fb05277095eb9be218c58e6041d985510f36678ec32bb4f74d7c493e

          SHA512

          0cb98c144720164c525d7b23de0b23e5eb27e5461f2823932a4420983a99a81ab7860e4b200bbd40a1d3e74ed2264418957cbb511a5bc0c1d5202a84dda4b089

        • C:\Users\Admin\AppData\Roaming\rundll.exe

          Filesize

          398KB

          MD5

          fc2a1b816f6eafdad8e16ddffb2d0e6d

          SHA1

          ebc44b31b897ca7d6b533c15431a7920831437a1

          SHA256

          ec9df8fb7a59dd03918a819316406a4091f0b5db7f88afee13aa4227d61eb7cd

          SHA512

          c1f94ec71cc7805f7c3ca199edeed1a5e8254d6d0873c0e6db33ac1bf72c22db8c51a0f9b9a7502092944fa139a6beea7b377de2fd57df780999c25a1e8544b3

        • memory/1176-10-0x0000000000400000-0x0000000000569000-memory.dmp

          Filesize

          1.4MB

        • memory/1176-45-0x0000000000400000-0x0000000000569000-memory.dmp

          Filesize

          1.4MB

        • memory/1508-0-0x0000000000510000-0x0000000000511000-memory.dmp

          Filesize

          4KB

        • memory/1508-9-0x0000000004000000-0x00000000041DB000-memory.dmp

          Filesize

          1.9MB

        • memory/2348-48-0x0000000004710000-0x0000000004742000-memory.dmp

          Filesize

          200KB

        • memory/2348-59-0x0000000004710000-0x0000000004742000-memory.dmp

          Filesize

          200KB

        • memory/4408-42-0x00000000006B0000-0x00000000006E2000-memory.dmp

          Filesize

          200KB

        • memory/4408-61-0x00000000006B0000-0x00000000006E2000-memory.dmp

          Filesize

          200KB

        • memory/4408-60-0x0000000000400000-0x000000000046F000-memory.dmp

          Filesize

          444KB