Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
21/04/2025, 11:29
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe
-
Size
1.8MB
-
MD5
c91516f4b0fed457d45a2483f6ff663f
-
SHA1
93b103fb0a588a62d26338ef215651b5db222713
-
SHA256
0ffba74d621982cd05fcfe74276a5bbbd10590e06bb74144fabdfa585976b1a2
-
SHA512
0cf78cfe6c8744b65b485e1ca71e1916f5921a4aaa84f3f2ef2e276b58bfc6708267a46a8e00d92beb012a0857516647dc4c0dfbcba8744e46d8b247ee6c1bdc
-
SSDEEP
24576:xwrQnzBfcKIwr739w+ktnfmf936H77hoFhIqWaE5zD0GOiOJrosMpbcIeAM4dOWT:SMfnIwitQ9Kb/vVzD05imR4b5TPpZCa
Malware Config
Extracted
latentbot
yeniceriler.zapto.org
Signatures
-
Latentbot family
-
Executes dropped EXE 3 IoCs
pid Process 3368 standard.exe 5300 dsds.exe 3316 rundll.exe -
Loads dropped DLL 4 IoCs
pid Process 3316 rundll.exe 3316 rundll.exe 5300 dsds.exe 5300 dsds.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntldr.dll = "\"C:\\Users\\Admin\\AppData\\Roaming\\ntldr.dll \"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntldr.dll = "\"C:\\Users\\Admin\\AppData\\Roaming\\ntldr.dll \"" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language standard.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dsds.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 4908 reg.exe 928 reg.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3368 standard.exe 3368 standard.exe 3368 standard.exe 3368 standard.exe 3368 standard.exe 3368 standard.exe 3316 rundll.exe 3316 rundll.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3368 standard.exe Token: SeIncBasePriorityPrivilege 3368 standard.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 5300 dsds.exe 5300 dsds.exe 5300 dsds.exe 3316 rundll.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2728 wrote to memory of 3368 2728 JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe 78 PID 2728 wrote to memory of 3368 2728 JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe 78 PID 2728 wrote to memory of 3368 2728 JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe 78 PID 3368 wrote to memory of 5300 3368 standard.exe 79 PID 3368 wrote to memory of 5300 3368 standard.exe 79 PID 3368 wrote to memory of 5300 3368 standard.exe 79 PID 3368 wrote to memory of 3176 3368 standard.exe 80 PID 3368 wrote to memory of 3176 3368 standard.exe 80 PID 3368 wrote to memory of 3176 3368 standard.exe 80 PID 3368 wrote to memory of 3552 3368 standard.exe 81 PID 3368 wrote to memory of 3552 3368 standard.exe 81 PID 3368 wrote to memory of 3552 3368 standard.exe 81 PID 3368 wrote to memory of 1252 3368 standard.exe 84 PID 3368 wrote to memory of 1252 3368 standard.exe 84 PID 3368 wrote to memory of 1252 3368 standard.exe 84 PID 3368 wrote to memory of 3316 3368 standard.exe 86 PID 3368 wrote to memory of 3316 3368 standard.exe 86 PID 3368 wrote to memory of 3316 3368 standard.exe 86 PID 3552 wrote to memory of 5628 3552 cmd.exe 87 PID 3552 wrote to memory of 5628 3552 cmd.exe 87 PID 3552 wrote to memory of 5628 3552 cmd.exe 87 PID 5628 wrote to memory of 928 5628 cmd.exe 88 PID 5628 wrote to memory of 928 5628 cmd.exe 88 PID 5628 wrote to memory of 928 5628 cmd.exe 88 PID 1252 wrote to memory of 4896 1252 cmd.exe 90 PID 1252 wrote to memory of 4896 1252 cmd.exe 90 PID 1252 wrote to memory of 4896 1252 cmd.exe 90 PID 4896 wrote to memory of 4908 4896 cmd.exe 92 PID 4896 wrote to memory of 4908 4896 cmd.exe 92 PID 4896 wrote to memory of 4908 4896 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91516f4b0fed457d45a2483f6ff663f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\standard.exe"C:\Users\Admin\AppData\Local\Temp\standard.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Users\Admin\AppData\Roaming\dsds.exe"C:\Users\Admin\AppData\Roaming\dsds.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5300
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syscheck.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:3176
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c syscheck.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5628 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:928
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c syscheck.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V ntldr.dll /D "\"C:\Users\Admin\AppData\Roaming\ntldr.dll \"" /f5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4908
-
-
-
-
C:\Users\Admin\AppData\Roaming\rundll.exe"C:\Users\Admin\AppData\Roaming\rundll.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ntldr.dll "1⤵PID:4888
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ntldr.dll "1⤵PID:4976
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD58273deb5a080d6d61c83ea61bc0432bd
SHA14206efd74c48c13aee33f07f720a2b6bd91dce99
SHA2560728c0ba138b10eecf4a7171eeee912ec4b5b74ffbcbc60bfb5bfbd9179b83e2
SHA512bd10373c35ed1a4998c01c7a51277b857a71fe9b17617e04831cf77d3a48f39e74efca9ab3b79fe4b1104f2a4b58ed823c87581c93f7818a67124c8ccf881453
-
Filesize
152B
MD539f2d111253e3714e37ff12202e0bf12
SHA16172623d832a71b82a9c34063237f247e5bc1364
SHA2569145bfaeb4e64deb3cea8448f1f7025589456b892530d052f499bfc33325dedd
SHA512949e275fbaa7c7bc53b3de7b1ac8580ac449ae6203d0e7aba7f9a43cb75c4cf067bbfd0cc5d32a7f7f55843e90b155ba7b6bbc42e318a260667b8c62022cca08
-
Filesize
372KB
MD5093a2b6f57aceba469f3c4197a446a75
SHA1308103393607bd57e87327b32c1d4b990410290a
SHA256ddee4cf79091b1ae7b8f27ce3f73a2d27d675f882642cb2e66ce8c291f6a0296
SHA5121dd430d13c1a1bc54a47f9a6dfa31854a594c593000464e326048febd14fe6c8ce53569970c92bc19fab392a2864827966e8b07c2d702f01f319578964a85fb6
-
Filesize
185KB
MD5c9b76bea3062300dd2957be713c77ba1
SHA18c30562d91ecb2f4ada92ec927c0bbe4ab869ed1
SHA2562c017cc4fb05277095eb9be218c58e6041d985510f36678ec32bb4f74d7c493e
SHA5120cb98c144720164c525d7b23de0b23e5eb27e5461f2823932a4420983a99a81ab7860e4b200bbd40a1d3e74ed2264418957cbb511a5bc0c1d5202a84dda4b089
-
Filesize
398KB
MD5fc2a1b816f6eafdad8e16ddffb2d0e6d
SHA1ebc44b31b897ca7d6b533c15431a7920831437a1
SHA256ec9df8fb7a59dd03918a819316406a4091f0b5db7f88afee13aa4227d61eb7cd
SHA512c1f94ec71cc7805f7c3ca199edeed1a5e8254d6d0873c0e6db33ac1bf72c22db8c51a0f9b9a7502092944fa139a6beea7b377de2fd57df780999c25a1e8544b3