Analysis

  • max time kernel
    147s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2025, 05:34

General

  • Target

    JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe

  • Size

    420KB

  • MD5

    045542e9adb32b39adba08d93dd6b071

  • SHA1

    0dea99e9cf48c1af198e05f43cf2db9138713574

  • SHA256

    bf39e89c584c512c8948a6200b85e66ded15727ad92dcafbea2951278b07fb3f

  • SHA512

    e6906614d4bd4ecb6451669016b8fdb14efe9230c337faa5fe1a1a27feba4b5214e40d28ccfa1ed4f61caa3509c2363721abf719fa85f5b8707cf6190142f29f

  • SSDEEP

    6144:LK3HTNGVvHI2zBHng5HaVsbZgRnyR4mULJhkHM6jI7H1D7puVSF:u3HcVvo21ga0aQ4HLJhkHM6jI7VD7wc

Malware Config

Extracted

Family

latentbot

C2

alternative.zapto.org

1alternative.zapto.org

2alternative.zapto.org

3alternative.zapto.org

4alternative.zapto.org

5alternative.zapto.org

6alternative.zapto.org

7alternative.zapto.org

8alternative.zapto.org

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 3 IoCs
  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

  • Latentbot family
  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe"
    1⤵
    • Adds policy Run key to start application
    • Boot or Logon Autostart Execution: Active Setup
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3456
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Modifies firewall policy service
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:3344
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe:*:Enabled:Windows Messanger" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Modifies firewall policy service
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:4744
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4800
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Modifies firewall policy service
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:548
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe:*:Enabled:Windows Messanger" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Modifies firewall policy service
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:4276
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3168
    • C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe
      C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4240

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe

          Filesize

          420KB

          MD5

          045542e9adb32b39adba08d93dd6b071

          SHA1

          0dea99e9cf48c1af198e05f43cf2db9138713574

          SHA256

          bf39e89c584c512c8948a6200b85e66ded15727ad92dcafbea2951278b07fb3f

          SHA512

          e6906614d4bd4ecb6451669016b8fdb14efe9230c337faa5fe1a1a27feba4b5214e40d28ccfa1ed4f61caa3509c2363721abf719fa85f5b8707cf6190142f29f

        • memory/3456-5-0x0000000075891000-0x0000000075892000-memory.dmp

          Filesize

          4KB

        • memory/3456-6-0x0000000075870000-0x0000000075960000-memory.dmp

          Filesize

          960KB

        • memory/3456-7-0x0000000075870000-0x0000000075960000-memory.dmp

          Filesize

          960KB

        • memory/3456-14-0x0000000075870000-0x0000000075960000-memory.dmp

          Filesize

          960KB

        • memory/3456-17-0x0000000075870000-0x0000000075960000-memory.dmp

          Filesize

          960KB