Overview

overview

10

Static

static

3

159f90d050...18.exe

windows7-x64

10

159f90d050...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118

  • Size

    600KB

  • Sample

    240627-marksawckc

  • MD5

    159f90d0509b218f3d15d1d5fb32385e

  • SHA1

    94768dcaee022019f876293a222eaa57d7e9d4a6

  • SHA256

    c825a1cac47c348f08ffbcb4f10c3d5a1f3505d1c97245c3b2808b4ff3ec0a7f

  • SHA512

    444e5ed931f538311a347b469930fa9c3fedc75ee37affc855df09a96ed3bf0d48371aa34a2ac87a6bd309f84d9e968577b2cb9d7c8b7607153fafa9178f1123

  • SSDEEP

    12288:T31YUfnn4/2Ywhh5tH6Q4CvPybjdFoDI86tABMr:OAjHH2CvPynPt8H

Score
10/10
latentbotbootkitevasionpersistencetrojan

Malware Config

Extracted

Family

latentbot

C2

nyandcompany.zapto.org

1nyandcompany.zapto.org

2nyandcompany.zapto.org

3nyandcompany.zapto.org

4nyandcompany.zapto.org

5nyandcompany.zapto.org

6nyandcompany.zapto.org

7nyandcompany.zapto.org

8nyandcompany.zapto.org

Targets

    • Target

      159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118

    • Size

      600KB

    • MD5

      159f90d0509b218f3d15d1d5fb32385e

    • SHA1

      94768dcaee022019f876293a222eaa57d7e9d4a6

    • SHA256

      c825a1cac47c348f08ffbcb4f10c3d5a1f3505d1c97245c3b2808b4ff3ec0a7f

    • SHA512

      444e5ed931f538311a347b469930fa9c3fedc75ee37affc855df09a96ed3bf0d48371aa34a2ac87a6bd309f84d9e968577b2cb9d7c8b7607153fafa9178f1123

    • SSDEEP

      12288:T31YUfnn4/2Ywhh5tH6Q4CvPybjdFoDI86tABMr:OAjHH2CvPynPt8H

    Score
    10/10
    latentbotbootkitevasionpersistencetrojan

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

      trojanlatentbot

    • Modifies firewall policy service

      evasion

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Active Setup

1
T1547.014

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Active Setup

1
T1547.014

Defense Evasion

Modify Registry

5
T1112

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks