Analysis

  • max time kernel
    147s
  • max time network
    137s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15/05/2025, 05:34

General

  • Target

    JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe

  • Size

    420KB

  • MD5

    045542e9adb32b39adba08d93dd6b071

  • SHA1

    0dea99e9cf48c1af198e05f43cf2db9138713574

  • SHA256

    bf39e89c584c512c8948a6200b85e66ded15727ad92dcafbea2951278b07fb3f

  • SHA512

    e6906614d4bd4ecb6451669016b8fdb14efe9230c337faa5fe1a1a27feba4b5214e40d28ccfa1ed4f61caa3509c2363721abf719fa85f5b8707cf6190142f29f

  • SSDEEP

    6144:LK3HTNGVvHI2zBHng5HaVsbZgRnyR4mULJhkHM6jI7H1D7puVSF:u3HcVvo21ga0aQ4HLJhkHM6jI7VD7wc

Malware Config

Extracted

Family

latentbot

C2

alternative.zapto.org

1alternative.zapto.org

3alternative.zapto.org

5alternative.zapto.org

7alternative.zapto.org

2alternative.zapto.org

4alternative.zapto.org

6alternative.zapto.org

8alternative.zapto.org

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 2 IoCs
  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

  • Latentbot family
  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe"
    1⤵
    • Adds policy Run key to start application
    • Boot or Logon Autostart Execution: Active Setup
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:8
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5396
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Modifies firewall policy service
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:4996
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe:*:Enabled:Windows Messanger" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_045542e9adb32b39adba08d93dd6b071.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Modifies firewall policy service
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:4924
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Modifies firewall policy service
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:5020
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe:*:Enabled:Windows Messanger" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5872
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Modifies firewall policy service
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:436
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4152
    • C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe
      C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4376

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ZUXMY7FV0B.exe

          Filesize

          420KB

          MD5

          045542e9adb32b39adba08d93dd6b071

          SHA1

          0dea99e9cf48c1af198e05f43cf2db9138713574

          SHA256

          bf39e89c584c512c8948a6200b85e66ded15727ad92dcafbea2951278b07fb3f

          SHA512

          e6906614d4bd4ecb6451669016b8fdb14efe9230c337faa5fe1a1a27feba4b5214e40d28ccfa1ed4f61caa3509c2363721abf719fa85f5b8707cf6190142f29f

        • memory/8-5-0x0000000075E09000-0x0000000075E0A000-memory.dmp

          Filesize

          4KB

        • memory/8-6-0x0000000075DF0000-0x0000000075EE0000-memory.dmp

          Filesize

          960KB

        • memory/8-8-0x0000000075DF0000-0x0000000075EE0000-memory.dmp

          Filesize

          960KB

        • memory/8-7-0x0000000075DF0000-0x0000000075EE0000-memory.dmp

          Filesize

          960KB

        • memory/8-15-0x0000000075DF0000-0x0000000075EE0000-memory.dmp

          Filesize

          960KB

        • memory/8-16-0x0000000075DF0000-0x0000000075EE0000-memory.dmp

          Filesize

          960KB

        • memory/8-19-0x0000000075DF0000-0x0000000075EE0000-memory.dmp

          Filesize

          960KB