Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240708-en -
resource tags
arch:x64arch:x86image:win10v2004-20240708-enlocale:en-usos:windows10-2004-x64system -
submitted
08-07-2024 11:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2c2248aec7c92b56ddbb493e84dfaddd_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
6 signatures
150 seconds
General
-
Target
2c2248aec7c92b56ddbb493e84dfaddd_JaffaCakes118.exe
-
Size
169KB
-
MD5
2c2248aec7c92b56ddbb493e84dfaddd
-
SHA1
4dd1767b3f305999a80aa3a5f36776d9587a1afb
-
SHA256
a33b11b4add719f4674e95c3a45a66b40c76b4c531f671f6677b1b88d0c01ad4
-
SHA512
c26f4e4559511f34d92ece2eb3728754c6fc77382e183c6f84429b4b0fd46ef16d4f1d4d357d01e9ec1ca28ac172ae237c6e4402293310faad69ba8a6908f7e3
-
SSDEEP
3072:NP/0iJ1CtTsYebjNdBnwEq0B3I+5b3Qrr8V:NP/Pwlytd1lB4oU+
Malware Config
Signatures
-
KPOT Core Executable 5 IoCs
resource yara_rule behavioral2/memory/3032-1-0x00000000004F0000-0x00000000005F0000-memory.dmp family_kpot behavioral2/memory/3032-2-0x00000000001E0000-0x00000000001F6000-memory.dmp family_kpot behavioral2/memory/3032-3-0x0000000000400000-0x0000000000418000-memory.dmp family_kpot behavioral2/memory/3032-4-0x0000000000400000-0x0000000000432000-memory.dmp family_kpot behavioral2/memory/3032-5-0x0000000000400000-0x0000000000418000-memory.dmp family_kpot -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Control Panel\International\Geo\Nation 2c2248aec7c92b56ddbb493e84dfaddd_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4804 PING.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3032 wrote to memory of 5084 3032 2c2248aec7c92b56ddbb493e84dfaddd_JaffaCakes118.exe 83 PID 3032 wrote to memory of 5084 3032 2c2248aec7c92b56ddbb493e84dfaddd_JaffaCakes118.exe 83 PID 3032 wrote to memory of 5084 3032 2c2248aec7c92b56ddbb493e84dfaddd_JaffaCakes118.exe 83 PID 5084 wrote to memory of 4804 5084 cmd.exe 85 PID 5084 wrote to memory of 4804 5084 cmd.exe 85 PID 5084 wrote to memory of 4804 5084 cmd.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c2248aec7c92b56ddbb493e84dfaddd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2c2248aec7c92b56ddbb493e84dfaddd_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\2c2248aec7c92b56ddbb493e84dfaddd_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4804
-
-