{"id":7875,"date":"2017-06-08T08:13:03","date_gmt":"2017-06-08T16:13:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/06\/08\/news-1657\/"},"modified":"2017-06-08T08:13:03","modified_gmt":"2017-06-08T16:13:03","slug":"news-1657","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/06\/08\/news-1657\/","title":{"rendered":"LatentBot piece by piece"},"content":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Thu, 08 Jun 2017 15:00:53 +0000<\/strong><\/p>\n<p>LatentBot is a multi-modular Trojan written in Delphi and known to have been around since 2013. Recently, we captured and dissected a sample distributed by RIG Exploit Kit.<\/p>\n<p>The main executable is a persistent botnet agent which downloads additional modules and reports about the performed activities to its\u00a0Command and Control server. Depending on the modules that have been installed, LatentBot has various capabilities, including:<\/p>\n<ul>\n<li>Act as a keylogger and form grabber<\/li>\n<li>Steal cookies<\/li>\n<li>Run a Socks Proxy from the victim system<\/li>\n<li>Give remote access to the attacker (VNC \/ Remote Desktop)<\/li>\n<\/ul>\n<p>In this post we will describe those\u00a0modules by taking apart several layers of obfuscation and encryption in order to\u00a0reveal their true nature.<\/p>\n<h3>Analyzed samples<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/en\/file\/c3d00a4c9d3bb34c2f01e777a202613deea44fe2b60fa4ccfc59d6c549107b3b\/analysis\/\" target=\"_blank\" rel=\"noopener noreferrer\">011077a7960fa1a7906323dbdc7e3807<\/a> &#8211; original sample, distributed in the campaign\n<ul>\n<li><a href=\"https:\/\/www.hybrid-analysis.com\/sample\/8fda2fe19794835029bf9c67b560498accd30d84abf7423e665295a8603c470a?environmentId=100\" target=\"_blank\" rel=\"noopener noreferrer\">85dcf88487ea412fe4960494713eed6b<\/a> &#8211; unpacked (loader)\n<ul>\n<li><a href=\"https:\/\/www.hybrid-analysis.com\/sample\/e8664c10d439790722673ccbfa9f589d3d4fc67a3288e88ef2f82461dbb60830?environmentId=100\" target=\"_blank\" rel=\"noopener noreferrer\">60c3232b90c773ed9c4990da7cc3bbdb<\/a> &#8211; injected into <em>svchost<\/em>\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/en\/file\/b1c58bd464859dd1bc35f6402b18f58de9339e02625f48f3f9b81e8150a9e12f\/analysis\/\" target=\"_blank\" rel=\"noopener noreferrer\">e105d87cb79ed668c8b62297259a4dbb<\/a>\u00a0&#8211; injected into <em>iexplore<\/em><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Downloaded modules, injected into <em>svchost<\/em>:<\/p>\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/d649e068e740a171768684dd46c20dd86ef53449bb385442b370619ee01a3f10\/analysis\/1495644392\/\" target=\"_blank\" rel=\"noopener noreferrer\">e3fb224201592c02b6250532e99416f0<\/a> &#8211; main module\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/0ff1fa8023030b20eaf10641516bc977d8fafa3e2258c1f46cacd8fd7ec33a0e\/analysis\/1495644410\/\" target=\"_blank\" rel=\"noopener noreferrer\">fcf8479361a24618c3e4aa552dccfc33<\/a> &#8211; module #1<\/li>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/c843d846c8e391cf078908d67ea10dd4aa9ebb6abc1e4592bcff8cb12a720a6b\/analysis\/1495644426\/\" target=\"_blank\" rel=\"noopener noreferrer\">2268f50ac4bbd7002f6601568448e1d3<\/a> &#8211; module #2<\/li>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/1b5aea4b0e840ca4e0f78587335fcafc3dbf79a9286ce5face195723913206ba\/analysis\/1495644435\/\" target=\"_blank\" rel=\"noopener noreferrer\">f461c9a2e1010aae1ad6ade8cf9396e5<\/a> &#8211; module #3<\/li>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/4ede95a34ab8533af5265712122999cf5a6d18cc309175173951268a92715d06\/analysis\/1495644447\/\" target=\"_blank\" rel=\"noopener noreferrer\">5cb8d981574da528b5f65aa9b2163eb3<\/a> &#8211; module #4<\/li>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/97618ff7dd2bccd669d6f50d79980ea28c236d7f127a472718b502fea459158e\/analysis\/1495644455\/\" target=\"_blank\" rel=\"noopener noreferrer\">5803cab0bec92f21d3c3d22f7920eca0<\/a> &#8211; module #5<\/li>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/0e93ad8a6a761bf818835e15c559028a06d37a520471ff890368a1a618c77674\/analysis\/1495644463\/\" target=\"_blank\" rel=\"noopener noreferrer\">5fd5b8ae1ae41a620a32f4ce96638ab9<\/a> &#8211; module #6<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Behavioral analysis<\/h3>\n<p>After being deployed. the original sample installs itself and deletes the sample from the original location. It injects into <em>svchost<\/em> the initial module (<a href=\"https:\/\/www.virustotal.com\/en\/file\/e8664c10d439790722673ccbfa9f589d3d4fc67a3288e88ef2f82461dbb60830\/analysis\/1496222587\/\" target=\"_blank\" rel=\"noopener noreferrer\">60c3232b90c773ed9c4990da7cc3bbdb<\/a>). That module performs another injection (of module: <a href=\"https:\/\/www.virustotal.com\/en\/file\/0521c9246ad9faae379717b17045fc66d1812eaccc39eaa3524347f8e8027b59\/analysis\/1496224646\/\" target=\"_blank\" rel=\"noopener noreferrer\">b622a0b443f36d99d5595acd0f95ea0e<\/a>)\u00a0 &#8211; into Internet Explorer (<em>iexplore.exe<\/em>):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18135\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/initial_injection.png\" alt=\"\" width=\"707\" height=\"37\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/initial_injection.png 707w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/initial_injection-300x16.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/initial_injection-600x31.png 600w\" sizes=\"auto, (max-width: 707px) 100vw, 707px\" \/><\/p>\n<p>The module injected in the <em>iexplore.exe<\/em>\u00a0process is responsible for establishing connection with the CnC and downloading submodules.<\/p>\n<p>At this stage, LatentBot creates two groups of registry keys:<\/p>\n<pre>...SoftwareGoogleUpdatenetworksecure  <\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18138\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/initial_keys.png\" alt=\"\" width=\"962\" height=\"206\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/initial_keys.png 962w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/initial_keys-300x64.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/initial_keys-600x128.png 600w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/p>\n<p>In the key named &#8220;0&#8221; the initial PE file is stored:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18093\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/stored_mz.png\" alt=\"\" width=\"453\" height=\"328\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/stored_mz.png 453w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/stored_mz-300x217.png 300w\" sizes=\"auto, (max-width: 453px) 100vw, 453px\" \/><\/p>\n<p>Another, encrypted key is added under:<\/p>\n<pre>...SoftwareAdobeAdobe Acrobat  <\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18139\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/adobe_key.png\" alt=\"\" width=\"933\" height=\"166\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/adobe_key.png 933w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/adobe_key-300x53.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/adobe_key-600x107.png 600w\" sizes=\"auto, (max-width: 933px) 100vw, 933px\" \/><\/p>\n<p>The data under the key &#8220;<em>in<\/em>&#8221; is encrypted by a custom algorithm, typical for the LatentBot, that will be described further (it can be decoded by a dedicated <a href=\"https:\/\/github.com\/hasherezade\/malware_analysis\/blob\/master\/latent_bot\/latent_decode.cpp\" target=\"_blank\" rel=\"noopener noreferrer\">application<\/a>). After decoding, it gives the path where the malware installed itself, i.e.:<\/p>\n<pre>C:UserstesterAppDataLocalMicrosoftWindowsshfdnoh.exe  <\/pre>\n<p>If the CnC is active and the bot managed to download sub-modules, they are run injected into new instances of <em>svchost<\/em>:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18141\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/running_modules.png\" alt=\"\" width=\"705\" height=\"96\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/running_modules.png 705w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/running_modules-300x41.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/running_modules-600x82.png 600w\" sizes=\"auto, (max-width: 705px) 100vw, 705px\" \/><\/p>\n<p>The main module is deployed with a parameter: <strong>-l MxN4ViazcD<\/strong><\/p>\n<p>This parameter specifies a group id where the bot belongs (also encrypted by Latent Bot&#8217;s custom crypto).<\/p>\n<pre>MxN4ViazcD -&gt; <strong>Group 1  <\/strong><\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18131\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/main_module.png\" alt=\"\" width=\"757\" height=\"254\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/main_module.png 757w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/main_module-300x101.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/main_module-600x201.png 600w\" sizes=\"auto, (max-width: 757px) 100vw, 757px\" \/><\/p>\n<p>Also, the registry keys related to the new modules are added under:<\/p>\n<pre>...SoftwareGoogleUpdatenetworksecure<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18140\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/latent_modules.png\" alt=\"\" width=\"933\" height=\"348\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/latent_modules.png 933w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/latent_modules-300x112.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/latent_modules-600x224.png 600w\" sizes=\"auto, (max-width: 933px) 100vw, 933px\" \/><\/p>\n<p>Decrypted names of the modules are very descriptive:<\/p>\n<pre>FtUFJu5xP3C -&gt; <strong>formgrab<\/strong>  hdtWD3zyxMpSQB -&gt; <strong>Bot_Engine<\/strong>  l551X+rNDh3B4A -&gt; <strong>Found_Core<\/strong>  QdG8eO0qHI8\/Y1G -&gt; <strong>send_report<\/strong>  QdW\/DoI2F9J -&gt; <strong>security<\/strong>  RRrIibQs+WzRVv5B+9iIys+17huxID -&gt; <strong>remote_desktop_service<\/strong>  VRWVBM6UtH6F+7UcwkBKPB -&gt; <strong>vnc_hide_desktop<\/strong>  w97grmO -&gt; <strong>Socks  <\/strong><\/pre>\n<p>Some of the modules are collecting data on the victim machine, and saving them in the %TEMP% directory in encrypted form:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18156\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/temp.png\" alt=\"\" width=\"594\" height=\"184\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/temp.png 594w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/temp-300x93.png 300w\" sizes=\"auto, (max-width: 594px) 100vw, 594px\" \/><\/p>\n<p>Further, they are being uploaded to the CnC.<\/p>\n<h4>Persistence<\/h4>\n<p>The basic persistence of Latent Bot is simple. The initial sample is copied into:<\/p>\n<p><em>C[current user]AppDataLocalMicrosoftWindows&lt;random_name&gt;.exe<\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18206\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/saved_path.png\" alt=\"\" width=\"601\" height=\"181\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/saved_path.png 601w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/saved_path-300x90.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/saved_path-600x181.png 600w\" sizes=\"auto, (max-width: 601px) 100vw, 601px\" \/><\/p>\n<p>It is executed on each system startup thanks to a simple Run key:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18207\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/run_key.png\" alt=\"\" width=\"765\" height=\"42\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/run_key.png 765w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/run_key-300x16.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/run_key-600x33.png 600w\" sizes=\"auto, (max-width: 765px) 100vw, 765px\" \/><\/p>\n<p>Once the main module is run, it is responsible for decrypting all the submodules from the registry and loading them.<\/p>\n<h3>Network communication<\/h3>\n<p>The bot starts communication with CnC by sending a beacon. If the beaconing went successfully, it starts to download additional modules in encrypted form. They are pretending to be <em>.zip<\/em> files:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18208\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/beacon_fragment.png\" alt=\"\" width=\"813\" height=\"400\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/beacon_fragment.png 813w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/beacon_fragment-300x148.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/beacon_fragment-600x295.png 600w\" sizes=\"auto, (max-width: 813px) 100vw, 813px\" \/><\/p>\n<p>The beacon is encoded by two algorithms: Latent&#8217;s custom encryption and then Base64:<\/p>\n<pre>QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzY0pOR3VkWlNtc3Q1VzduWlJ2SHZ6QjJhNEtuTFo3RUNobVlOKzJMbDE0TWxBUXR2NXdxelBtSk1aeDNaNVRlaVdzdFVhZG5IK0JwcEp3NkFXVTlVc3JJYWpKa3VzTnlSbUE=  <\/pre>\n<p>Base64 decoded:<\/p>\n<pre>Adl7k+v9qQGCaZti0LS9vq+scJNGudZSmst5W7nZRvHvzB2a4KnLZ7EChmYN+2Ll14MlAQtv5wqzPmJMZx3Z5TeiWstUadnH+BppJw6AWU9UsrIajJkusNyRmA  <\/pre>\n<p>Latent custom decoded:<\/p>\n<pre>forum?datael=US-70-789548274695&amp;ver=5015&amp;os=5&amp;acs=1&amp;x64=0&amp;gr=Group 1&amp;random=mxmgkuusrfqdotm  <\/pre>\n<p>As we can see, it contains data about the infected machine, as well as the group name and a random token.<\/p>\n<p>However, not all the communication is encrypted. Some of the further requests are very verbose. Name of each action is identified by a string, in capital letters. Examples:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18155\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/communication2.png\" alt=\"\" width=\"895\" height=\"544\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/communication2.png 895w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/communication2-300x182.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/communication2-600x365.png 600w\" sizes=\"auto, (max-width: 895px) 100vw, 895px\" \/><\/p>\n<p>Client beacons to the server by a HELLO command. In return, the CnC gives it a cookie that is further used as an ID. The content posted between the client and the server is encrypted:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18157\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/communication_fragment.png\" alt=\"\" width=\"724\" height=\"689\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/communication_fragment.png 724w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/communication_fragment-300x285.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/communication_fragment-600x571.png 600w\" sizes=\"auto, (max-width: 724px) 100vw, 724px\" \/><\/p>\n<p>Analyzing the traffic, we can find that the bot sends to the CnC some stolen data, packed as Cabinet format. The content inside is encrypted by a custom encryption algorithm, typical\u00a0 to LatentBot, that will be described later. The file is uploaded using <a href=\"https:\/\/stackoverflow.com\/questions\/630453\/put-vs-post-in-rest\" target=\"_blank\" rel=\"noopener noreferrer\">HTTP PUT method<\/a>:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18158\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/uploaded_cab.png\" alt=\"\" width=\"733\" height=\"399\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/uploaded_cab.png 733w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/uploaded_cab-300x163.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/uploaded_cab-600x327.png 600w\" sizes=\"auto, (max-width: 733px) 100vw, 733px\" \/><\/p>\n<h3>Inside<\/h3>\n<p>The original sample of Latent Bot, that is distributes in campaigns, comes packed with a crypter. After removing this first layer, we get a loader with the following structure of sections:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18160\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/loader_sections.png\" alt=\"\" width=\"776\" height=\"384\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/loader_sections.png 776w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/loader_sections-300x148.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/loader_sections-600x297.png 600w\" sizes=\"auto, (max-width: 776px) 100vw, 776px\" \/><\/p>\n<p>All the used strings are obfuscated &#8211; particular chunks of the string are being moved to consecutive variables:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18159\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/loader_obfuscated_strings.png\" alt=\"\" width=\"456\" height=\"546\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/loader_obfuscated_strings.png 456w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/loader_obfuscated_strings-251x300.png 251w\" sizes=\"auto, (max-width: 456px) 100vw, 456px\" \/><\/p>\n<p>The basic role of the main element is to to make injection into <em>svchost.exe<\/em>. In the memory of <em>svchost.exe<\/em>, another PE file is unpacked and loaded:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18161\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/unpacked_svc.png\" alt=\"\" width=\"652\" height=\"259\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/unpacked_svc.png 652w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/unpacked_svc-300x119.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/unpacked_svc-600x238.png 600w\" sizes=\"auto, (max-width: 652px) 100vw, 652px\" \/><\/p>\n<p>If we dump this file, we find another stage. Starting from this element, all further pieces of Latent Bot have some common patterns. They are written in Delphi, and their strings are obfuscated by the same set of functions. Example:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18193\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/decrypting_strings.png\" alt=\"\" width=\"587\" height=\"168\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/decrypting_strings.png 587w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/decrypting_strings-300x86.png 300w\" sizes=\"auto, (max-width: 587px) 100vw, 587px\" \/><\/p>\n<p>In order to defeat this obfuscation I prepared a dedicated IDA script (<a href=\"https:\/\/github.com\/hasherezade\/malware_analysis\/blob\/master\/latent_bot\/latent_dec.py\" target=\"_blank\" rel=\"noopener noreferrer\">latent_dec.py<\/a>). Not much of the other obfuscation techniques has been used, so after applying it, the code looks much more understandable:<\/p>\n<p><iframe  src='https:\/\/www.youtube.com\/embed\/gMVJtOPUmkk?version=3&#038;rel=1&#038;fs=1&#038;autohide=2&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;wmode=transparent' width=\"100%\" height=\"420\" frameborder=\"0\" ><\/iframe> <\/p>\n<p>Another thing, typical for LatentBot&#8217;s pieces are the resources following similar schema. The current sample comes with 2 resources: CFG and R. Both of them are encrypted:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18162\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/inj_resources.png\" alt=\"\" width=\"688\" height=\"290\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/inj_resources.png 688w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/inj_resources-300x126.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/inj_resources-600x253.png 600w\" sizes=\"auto, (max-width: 688px) 100vw, 688px\" \/><\/p>\n<p>This element unpacks another module (<a href=\"https:\/\/www.virustotal.com\/en\/file\/0521c9246ad9faae379717b17045fc66d1812eaccc39eaa3524347f8e8027b59\/analysis\/1496224646\/\" target=\"_blank\" rel=\"noopener noreferrer\">b622a0b443f36d99d5595acd0f95ea0e<\/a>), that is injected this time into <em>iexplore<\/em>. The new module has resources with a structure similar to the previous one. It&#8217;s CFG file contains strings encrypted by an algorithm typical for this bot:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18163\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/inj_explorer_res.png\" alt=\"\" width=\"697\" height=\"408\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/inj_explorer_res.png 697w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/inj_explorer_res-300x176.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/inj_explorer_res-600x351.png 600w\" sizes=\"auto, (max-width: 697px) 100vw, 697px\" \/><\/p>\n<p>The configuration of this element contains the bot group ID and the CnC address:<\/p>\n<pre>MxN4ViazcD -&gt; Group 1  j5kmNVnZPcAt18wWBH3kfMOzGQ6ENA -&gt; http:\/\/104.232.32.101\/  <\/pre>\n<h3>Modules<\/h3>\n<p>The main element of the LatentBot\u00a0 is an engine downloading and managing the modules. Each module of LatentBot have some different task to do. Overall, it has capabilities of a typical RAT and stealer. Downloaded submodules are various for various samples. In the analyzed one, elements with the following names has been fetched:<\/p>\n<ul>\n<li>formgrab-128521-2<\/li>\n<li>Bot_Engine-641712-8<\/li>\n<li>Found_Core-147200-2<\/li>\n<li>send_report-325310-77<\/li>\n<li>security-945874-2<\/li>\n<li>remote_desktop_service-828255-2<\/li>\n<li>vnc_hide_desktop-590642-47<\/li>\n<li>Socks-400578-2<\/li>\n<\/ul>\n<p>Let&#8217;s have a look inside some of them&#8230;<\/p>\n<h3>Bot_Engine Module<\/h3>\n<p>As the name states, this is the main module of the bot. It is responsible for the communication with the C&amp;C and loading the plugins.<\/p>\n<p>It fingerprints the environment and send the collected data in the beacon to the CnC.<\/p>\n<pre>'tkNFKRA' -&gt; '&amp;ver='  'tA8OqC' -&gt; '&amp;os='  't4M5zB' -&gt; '&amp;av=\"'  't4c85aF' -&gt; '&amp;acs='  'tct4rwD' -&gt; '&amp;x64='  'tgszOD' -&gt; '&amp;gr='  'tMc36A' -&gt; '&amp;li=W4'  't89KWAf3QyCh' -&gt; '&amp;plugins='  'to8KKL6mYGs8' -&gt; '&amp;errcode='  't08rKTC' -&gt; '&amp;bk=1'  't08rKXC' -&gt; '&amp;bk=0'  'tEMeVgHimC' -&gt; '&amp;note=1'  'tEMeVgHinC' -&gt; '&amp;note=0'  'tsMSYj\/L' -&gt; '&amp;dom=1'  'tsMSYjvL' -&gt; '&amp;dom=0'  'tw9sex5WXDzsMB' -&gt; '&amp;sockslog='  'tk9H0psjw5Wv' -&gt; '&amp;vncpass='  'tkNGWE8KNC+N' -&gt; '&amp;vidtype='  <\/pre>\n<p>Example &#8211; checking installed AV products:<br \/> <img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18234\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/check_av.png\" alt=\"\" width=\"379\" height=\"141\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/check_av.png 379w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/check_av-300x112.png 300w\" sizes=\"auto, (max-width: 379px) 100vw, 379px\" \/><\/p>\n<p>The dedicated function contains a long list of the directories that are checked,i.e.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18235\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/checked_av_products.png\" alt=\"\" width=\"779\" height=\"369\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/checked_av_products.png 779w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/checked_av_products-300x142.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/checked_av_products-600x284.png 600w\" sizes=\"auto, (max-width: 779px) 100vw, 779px\" \/><\/p>\n<p>This module gives to the attacker remote control on the victim&#8217;s environment by executing various commands, such as:<\/p>\n<pre>'\/tKvXgFBlB' -&gt; 'testapi'  'slx6nfFi' -&gt; 'get_id'  '5J5eN0Wp9A' -&gt; 'restart'  '4FEa7FfTRCI' -&gt; 'shutdown'  'nxRY+d\/E' -&gt; 'logoff'  'slx6nLVh9Et\/qqi2eUpf9D' -&gt; 'get_label_engine'  'slx6nLVh9Et\/qOCYBWP' -&gt; 'get_label_load'  'slx6n7kxqMcKNsq0UkmG' -&gt; 'get_plugin_list'  '7hfCrPhOfgfTX28h8TZS' -&gt; 'plugin_stop_all'  '7hfCrPhOfkfbTM6EplCNCN1d' -&gt; 'plugin_restart_all'  '7hfCrPhOfg+PtNcXVAc8JLsPUA' -&gt; 'plugin_clear_storage'  '41l3p17Xus\/kRtagq7ObrZEM\/WucXWH' -&gt; 'stop_engine_and_plugins'  '+FJV1v6mXl5SW7r8cB' -&gt; 'uninstall_all'  'slx6njktomFaQ0F' -&gt; 'get_version'  '7hfCrPhOfgfTX2M' -&gt; 'plugin_stop'  '7hfCrPhOfkfbTM6EplC' -&gt; 'plugin_restart'  '7hfCrPhOfgfTX28h8bppqx+bZm\/CQDXSnB' -&gt; 'plugin_stop_and_uninstall'  '7hfCrPhOf4vfz5NHktwwJB' -&gt; 'plugin_uninstall'  '7hfCrPhOfgfTZiCd' -&gt; 'plugin_start'  '7hfCrPhOfgfTZiCdhJwYvUM' -&gt; 'plugin_start_auto'  '7hfCrPhOfgfTX28h83I9CD' -&gt; 'plugin_stop_autox'  'slx6n7kxqMcKNsazBUKWvC' -&gt; 'get_plugin_start'  'o5SQ6EkjlBwmdJhahA' -&gt; 'clear_cookies'  <\/pre>\n<p>Example &#8211; fragment of the function stealing and clearing the cookies:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18236\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/steal_ff_cookies.png\" alt=\"\" width=\"599\" height=\"453\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/steal_ff_cookies.png 599w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/steal_ff_cookies-300x227.png 300w\" sizes=\"auto, (max-width: 599px) 100vw, 599px\" \/><\/p>\n<p>After completing a task, it also sends a report about the operation status:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18237\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/report_task.png\" alt=\"\" width=\"480\" height=\"410\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/report_task.png 480w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/report_task-300x256.png 300w\" sizes=\"auto, (max-width: 480px) 100vw, 480px\" \/><\/p>\n<h3>Security Module<\/h3>\n<p>This module performs extended environment check against various security products. Looking at the resources, we can find three elements: DFX, VBL, FDL containing lists of strings encrypted in the typical way:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18211\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/sec_strings.png\" alt=\"\" width=\"792\" height=\"219\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/sec_strings.png 792w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/sec_strings-300x83.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/sec_strings-600x166.png 600w\" sizes=\"auto, (max-width: 792px) 100vw, 792px\" \/><\/p>\n<p>Decrypting them gives an extensive list of the checked paths: <a href=\"https:\/\/gist.github.com\/hasherezade\/de2df50e5a596ec436bd8e8007489016#file-dfx-txt\" target=\"_blank\" rel=\"noopener noreferrer\">DFX<\/a> , <a href=\"https:\/\/gist.github.com\/hasherezade\/de2df50e5a596ec436bd8e8007489016#file-vbl-txt\" target=\"_blank\" rel=\"noopener noreferrer\">VBL<\/a>, and modules (exe, dll, sys): <a href=\"https:\/\/gist.github.com\/hasherezade\/de2df50e5a596ec436bd8e8007489016#file-fdl-txt\" target=\"_blank\" rel=\"noopener noreferrer\">FLD<\/a><\/p>\n<h3>Formgrab Module<\/h3>\n<p>In comparison to other modules, this one does not contain string or API obfuscation.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18217\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/key_check.png\" alt=\"\" width=\"616\" height=\"227\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/key_check.png 616w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/key_check-300x111.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/key_check-600x221.png 600w\" sizes=\"auto, (max-width: 616px) 100vw, 616px\" \/><\/p>\n<p>We can find it grabbing the content of fields of the windows:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18219\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/fetch_text.png\" alt=\"\" width=\"613\" height=\"260\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/fetch_text.png 613w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/fetch_text-300x127.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/fetch_text-600x254.png 600w\" sizes=\"auto, (max-width: 613px) 100vw, 613px\" \/><\/p>\n<p>&#8230;and tapping the typed keys:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18218\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/key_tap.png\" alt=\"\" width=\"357\" height=\"391\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/key_tap.png 357w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/key_tap-274x300.png 274w\" sizes=\"auto, (max-width: 357px) 100vw, 357px\" \/><\/p>\n<h3>Foud_Core Module<\/h3>\n<p>This is the only module that has been written in C++ instead of Delphi. It comes with a default icon added to Windows projects by Visual Studio.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18239\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/installer_exe.png\" alt=\"\" width=\"77\" height=\"82\" \/><\/p>\n<p>It&#8217;s original name is installer.exe and it exports various functions, that can be used to make injections into 64 bit applications:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18238\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/exported_64.png\" alt=\"\" width=\"546\" height=\"482\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/exported_64.png 546w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/exported_64-300x265.png 300w\" sizes=\"auto, (max-width: 546px) 100vw, 546px\" \/><\/p>\n<p>It has various features that are different from other modules, i.e. lack of string obfuscation. Performed actions are reported by debug strings, that are stored inside the binary as open text, i.e.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18240\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/output_debug.png\" alt=\"\" width=\"670\" height=\"600\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/output_debug.png 670w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/output_debug-300x269.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/output_debug-600x537.png 600w\" sizes=\"auto, (max-width: 670px) 100vw, 670px\" \/><\/p>\n<p>The compilation timestamp of this executable points at the February of 2017: <em>2017:02:28 18:21:01+01:00. <\/em>This element was not observed in previous years, so probably indeed it is added this year, to expand injection capabilities of the LatentBot to 64 bit processes.<\/p>\n<h3>Conclusion<\/h3>\n<p>LatentBot has been\u00a0around for several years, however, looking at the modules we can find out that it is still being actively maintained. The distributed package is a mixture of old and new modules.<\/p>\n<p>The authors of this bot are not very advanced in malware development. They program in Delphi and use some ready-made templates. Also, the obfuscation they use can be easily defeated. However, they delivered a bot that is very rich in features and easily expandable, thus, it still poses\u00a0a serious threat.<\/p>\n<h3>Appendix<\/h3>\n<p><a href=\"https:\/\/www.cert.pl\/news\/single\/latentbot-modularny-i-silnie-zaciemniony-bot\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.cert.pl\/news\/single\/latentbot-modularny-i-silnie-zaciemniony-bot\/ <\/a>&#8211; Polish CERT on LatentBot (December 2016)<\/p>\n<p><a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2015\/12\/latentbot_trace_me.html\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.fireeye.com\/blog\/threat-research\/2015\/12\/latentbot_trace_me.html<\/a> &#8211; FireEye on LatentBot (2015)<\/p>\n<p><a href=\"https:\/\/translate.google.com\/translate?sl=auto&amp;tl=en&amp;js=y&amp;prev=_t&amp;hl=en&amp;ie=UTF-8&amp;u=https%3A%2F%2Fcys-centrum.com%2Fru%2Fnews%2Fmodule_trojan_for_unauthorized_access&amp;edit-text=&amp;act=url\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/cys-centrum.com\/ru\/news\/module_trojan_for_unauthorized_access <\/a>&#8211; CyS Cenrtum report (2015)<\/p>\n<hr \/>\n<p><em><span class=\"s1\">This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. <\/span><span class=\"s1\">She loves going in details about malware and sharing threat information with the community. <\/span><span class=\"s2\">Check her out on Twitter @<a href=\"https:\/\/twitter.com\/hasherezade\" target=\"_blank\" rel=\"noopener noreferrer\">hasherezade<\/a> and her personal blog: <a href=\"https:\/\/hshrzd.wordpress.com\/\"><span class=\"s3\">https:\/\/hshrzd.wordpress.com<\/span><\/a>.<\/span><\/em><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/06\/latentbot\/\">LatentBot piece by piece<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/06\/latentbot\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Thu, 08 Jun 2017 15:00:53 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/06\/latentbot\/' title='LatentBot piece by piece'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/06\/shutterstock_156316205.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>LatentBot is a multi-modular Trojan written in Delphi and known to have been around since 2013. Recently, we captured and dissected a sample distributed by RIG Exploit Kit. In this post we will describe its modules by taking apart several layers of obfuscation and encryption in order to reveal their true nature.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/malware-threat-analysis\/\" rel=\"category tag\">Malware<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/hasherezade\/\" rel=\"tag\">hasherezade<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/latentbot\/\" rel=\"tag\">latentbot<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malwarebytes-labs\/\" rel=\"tag\">malwarebytes labs<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/rig-ek\/\" rel=\"tag\">RIG EK<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/06\/latentbot\/' title='LatentBot piece by piece'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/06\/latentbot\/\">LatentBot piece by piece<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[10492,12590,3764,11530,11792,10494],"class_list":["post-7875","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-hasherezade","tag-latentbot","tag-malware","tag-malwarebytes-labs","tag-rig-ek","tag-threat-analysis"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7875","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7875"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7875\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7875"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7875"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7875"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}