latentbot | 6e5988c481f6aeb587b13c8ac878c14a14bae316461f02698025e2abc420ee82

Analysis

max time kernel
142s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe
Size

2.2MB
MD5

1fedb1fbce0fc41feabd5c54164547b5
SHA1

d75001fa1f4ff2a391aef04a5158b803d54798cd
SHA256

6e5988c481f6aeb587b13c8ac878c14a14bae316461f02698025e2abc420ee82
SHA512

c5c08e202bd212340e581448dbf6d351ce3fd835313bb05e4b6fb344ba4bb47b9a76d8bba2a4a70c4a3fdcc64fd9fa7fc3926d606482d57abdf0c7323f321521
SSDEEP

24576:HnHngD0Mmf9IvYzAne5uxTjpB0GsdYksLtXf+PIDmJusil3P+uuxT8FtrkzqaiP2:nse5+vv1afusa32dg7dAxxHy4ehFK

Score

10^/10

latentbot persistence trojan

Malware Config

Extracted

Family

latentbot

yeniceriler.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL.EXE1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exemickey.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	RUNDLL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	mickey.exe

Executes dropped EXE 3 IoCs

Processes:

mickey.exeRUNDLL.EXEUNINS000.EXE

pid process

2636 mickey.exe
2892 RUNDLL.EXE
808 UNINS000.EXE
Loads dropped DLL 4 IoCs

Processes:

RUNDLL.EXEUNINS000.EXE

pid process

2892 RUNDLL.EXE
2892 RUNDLL.EXE
808 UNINS000.EXE
808 UNINS000.EXE

pid	process
2636	mickey.exe
2892	RUNDLL.EXE
808	UNINS000.EXE

pid	process
2892	RUNDLL.EXE
2892	RUNDLL.EXE
808	UNINS000.EXE
808	UNINS000.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll = "\"C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe \""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1088 reg.exe

pid	process
1088	reg.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exemickey.exeRUNDLL.EXE

pid	process
968	1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe
968	1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe
968	1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe
968	1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe
968	1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe
968	1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe
2636	mickey.exe
2636	mickey.exe
968	1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe
968	1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe
968	1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe
968	1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe
2892	RUNDLL.EXE
2892	RUNDLL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RUNDLL.EXE

pid process

2892 RUNDLL.EXE

pid	process
2892	RUNDLL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exemickey.exeRUNDLL.EXEcmd.execmd.exe

description	pid	process	target process
PID 968 wrote to memory of 2636	968	1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe	mickey.exe
PID 968 wrote to memory of 2636	968	1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe	mickey.exe
PID 968 wrote to memory of 2636	968	1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe	mickey.exe
PID 2636 wrote to memory of 2892	2636	mickey.exe	RUNDLL.EXE
PID 2636 wrote to memory of 2892	2636	mickey.exe	RUNDLL.EXE
PID 2636 wrote to memory of 2892	2636	mickey.exe	RUNDLL.EXE
PID 2636 wrote to memory of 808	2636	mickey.exe	UNINS000.EXE
PID 2636 wrote to memory of 808	2636	mickey.exe	UNINS000.EXE
PID 2636 wrote to memory of 808	2636	mickey.exe	UNINS000.EXE
PID 2892 wrote to memory of 1804	2892	RUNDLL.EXE	cmd.exe
PID 2892 wrote to memory of 1804	2892	RUNDLL.EXE	cmd.exe
PID 2892 wrote to memory of 1804	2892	RUNDLL.EXE	cmd.exe
PID 1804 wrote to memory of 4344	1804	cmd.exe	cmd.exe
PID 1804 wrote to memory of 4344	1804	cmd.exe	cmd.exe
PID 1804 wrote to memory of 4344	1804	cmd.exe	cmd.exe
PID 4344 wrote to memory of 1088	4344	cmd.exe	reg.exe
PID 4344 wrote to memory of 1088	4344	cmd.exe	reg.exe
PID 4344 wrote to memory of 1088	4344	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1fedb1fbce0fc41feabd5c54164547b5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Local\Temp\mickey.exe
"C:\Users\Admin\AppData\Local\Temp\mickey.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Roaming\RUNDLL.EXE
"C:\Users\Admin\AppData\Roaming\RUNDLL.EXE"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
5⤵
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
6⤵
- Adds Run key to start application
- Modifies registry key
PID:1088

C:\Users\Admin\AppData\Roaming\UNINS000.EXE
"C:\Users\Admin\AppData\Roaming\UNINS000.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:808

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mickey.exe
Filesize
1.9MB

MD5
fda26ab58b66096bdd8f8e1cb79569c7

SHA1
d581aa899a4379b39eabd7101c1c5dbfc2c20e75

SHA256
c9f50f5cecae36801a6af58c4a963677ac841bd906c9610c81a9459aa4fea12a

SHA512
47e0928bc7cbbf6b06e8b6a7e6167005cda7303d04e600f015fe8c4282202b123726c1fbc4b856a55eceed6d12b02a72b12f31bce3f0956e40bcdf2e97a4d90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\run.bat
Filesize
145B

MD5
6b8393408a3f2df19ff1e68a4f720729

SHA1
03cbc980dd47a33bdfa18be80cbd3efdbbaf95c6

SHA256
623fecae412449f60ffd8f38862e73504124afb0754952a45103daff0de5a7c9

SHA512
235e3c1f0074282c8cd8d6d9b6dc0c71ae591f5ca6a2f2248f832359a1a452cfce26b5f80fddc5acd5aae811630441b640212b9b7a885f2d69e67813d8d846ca

Download Submit
C:\Users\Admin\AppData\Roaming\ntldr.dll
Filesize
495KB

MD5
55b218cafac2281a0d3ba330e8c4930b

SHA1
b145044d120088be49f1c5d378b86560e69b1eb3

SHA256
72d99aa9b9f1f3c675c185fe983e303afecf4e8971e2e83d41b062c3588866a4

SHA512
f106a6950f8ce1f432a7fb15051c8dd787b68b3151739d58aecc5ed69500dfb9c695a6d203e0f2d2746bc83074243dc835275a24353bdc0f64917cc38b437206

Download Submit
C:\Users\Admin\AppData\Roaming\rundll.exe
Filesize
512KB

MD5
bc135565b79d80459045107690f8d840

SHA1
e5daed1f571719a01ac6bae7c09044c0751492b5

SHA256
dec0d5991ccd586dc1c4840b667643c92a93a8c0f2c68d84d32c140e1785c3e4

SHA512
1a91089a5661ae54b40323021fea7e941e1a7b3894b5ecda3d3fda7fc4320247ef258688970edf3192a3a0d12ec8881e5795fd8b7bf08404191691b727784f03

Download Submit
C:\Users\Admin\AppData\Roaming\unins000.exe
Filesize
679KB

MD5
0d44ba4db9a8f05b293ea264075b31dd

SHA1
e894fcf4c0c3718021eb8d72e0d34c7d9b7cfd0c

SHA256
aaae5d9d6783e9248919b1ad7b5f46b2b545e7d3faa59c864c485b61f1ad0973

SHA512
21126a90a24ffc494f97eb34c9d2139b052dd586638618bda9d2c296c4844a6e7b1cb3e0f84315ae3f1b5c0cfe0d39c8f60d9a1fcc88c7167e69746da9cba776

Download Submit
memory/808-41-0x0000000005BE0000-0x0000000005C62000-memory.dmp

Filesize
520KB

Download
memory/808-38-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/808-43-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/808-44-0x0000000005BE0000-0x0000000005C62000-memory.dmp

Filesize
520KB

Download
memory/968-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2636-33-0x0000000000400000-0x00000000005F2000-memory.dmp

Filesize
1.9MB

Download
memory/2892-34-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2892-30-0x0000000000A50000-0x0000000000AD2000-memory.dmp

Filesize
520KB

Download
memory/2892-45-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2892-46-0x0000000000A50000-0x0000000000AD2000-memory.dmp

Filesize
520KB

Download