Overview

overview

10

Static

static

3

19b15bd216...18.exe

windows7-x64

10

19b15bd216...18.exe

windows10-2004-x64

10

$APPDATA/c...OR.dll

windows7-x64

1

$APPDATA/c...OR.dll

windows10-2004-x64

1

$APPDATA/c...ce.exe

windows7-x64

1

$APPDATA/c...ce.exe

windows10-2004-x64

1

$APPDATA/p...ils.js

windows7-x64

3

$APPDATA/p...ils.js

windows10-2004-x64

3

$TEMP/System.dll

windows7-x64

3

$TEMP/System.dll

windows10-2004-x64

3

$TEMP/hedgerows.dll

windows7-x64

3

$TEMP/hedgerows.dll

windows10-2004-x64

3

$TEMP/pl/r...ox.vbs

windows7-x64

1

$TEMP/pl/r...ox.vbs

windows10-2004-x64

1

$TEMP/pl/r...ps.dll

windows7-x64

3

$TEMP/pl/r...ps.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    28-07-2024 17:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19b15bd216a75333053517cd4e4afe3d_JaffaCakes118.exe

  • Size

    261KB

  • MD5

    19b15bd216a75333053517cd4e4afe3d

  • SHA1

    970370ad007d721d7290019df0bb36392e604a00

  • SHA256

    03544cc512306862b88bbf0c5f3a573bdb023f061302e90d24ebfeed93334d01

  • SHA512

    42b416109cbb305f3bcaede9a997e9b20ec7475726a6f5794d8df56f6a4caa659e18b78c684c81c7bb269555da03e013fbfdebe4b7b5d9460b6546659e6766fd

  • SSDEEP

    6144:SR+xXJuUnOgw0HzrnEle1exXN4I+j3c1Ao5JXXJJ2HMU51xdt:GW3RXoek9j8eV3JgMm

Score
10/10
kpotdiscoverystealertrojan

Malware Config

Signatures

  • KPOT

    KPOT is an information stealer that steals user data and account credentials.

    trojanstealerkpot
  • KPOT Core Executable 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19b15bd216a75333053517cd4e4afe3d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\19b15bd216a75333053517cd4e4afe3d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:11028
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 11028 -s 36
        3⤵
        • Program crash
        PID:11008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\System.dll
    Filesize

    12KB

    MD5

    0d7ad4f45dc6f5aa87f606d0331c6901

    SHA1

    48df0911f0484cbe2a8cdd5362140b63c41ee457

    SHA256

    3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    SHA512

    c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\hedgerows.dll
    Filesize

    22KB

    MD5

    2ae5d410948624b091bffee8fe572969

    SHA1

    959e5dceaa00d60feab658160a56922a2078c36f

    SHA256

    49d58d394cfd697ea5d855b88cede6d70eb08effafde514d255493b3ec5eb645

    SHA512

    ac481da138de38b8ebce01828b25da3dbb009571fdc614e351896375bc169b216974fb62312e76dd6308d53ab278f25497656e35e8ff3928e15ce599c8be5fd3

    Download Submit

  • memory/2116-21-0x0000000000480000-0x0000000000493000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2116-138-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-137-0x00000000003E0000-0x00000000003E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2116-10034-0x0000000002760000-0x0000000002780000-memory.dmp

    Filesize

    128KB

    Download

  • memory/11028-10030-0x0000000000090000-0x00000000000A8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/11028-10032-0x0000000000090000-0x00000000000A8000-memory.dmp

    Filesize

    96KB

    Download