Analysis Overview
SHA256
6c282fde0bddf7c24f53584131366d52f39cc29ed5aed3017be731420089303d
Threat Level: Known bad
The file 9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-15 17:54
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 17:54
Reported
2024-08-15 17:57
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | bc5e482a034e3c4b9b34603deb9a2ce5 |
| SHA1 | d1ccc1bfe204d02e40df83ffa93ea5fea0329e5b |
| SHA256 | ee68403b53250dc6eba949040dc2986b6b593cc85d37aa06327391140ac826bb |
| SHA512 | df60a438b7267d8d42e142c448a22e1a4a94b425eb0fc1a012c2efe421bb68bcad41f7cdb65cb9f373a4268bdfb6988c292b74cb8c3ddc21ba338c6234c123c7 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 55c3cb09be31ad26c5c9cc5f86b434ae |
| SHA1 | 82b45fcd214a8e4399a44a2f39d877518c190521 |
| SHA256 | f5b3ba3aff07d16ca4a02a849c4400fff51f119f51e2f36e947f2477bcd481a8 |
| SHA512 | 67be1b767b03b5f0962e1fe6a7e134ce5c74f5357f57d11ae63eb461a58559339082c5d19f285828936e06578ec7a3c81c25b6360e2fd7c7eabf021d7fb9d3ab |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | cbe83bbbd12a97cfca6a78fde3fa5815 |
| SHA1 | 4214d9d35563330d901a50344bcdfb9d29ca8ecd |
| SHA256 | 8f0d8f3597ac3bd259789e66a8c5b8d16ce8de25dc1284d2d5659465ae1912cd |
| SHA512 | 0fc6524a0bd998ec72e04adf9774de1d4689cc8a52900e5e38c14d7a459e120c3d5cd67eaf775d4ec730ef53c061c4820ef60ea30d8fef5813d8be4cdc57e766 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 17:54
Reported
2024-08-15 17:57
Platform
win7-20240704-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | bc5e482a034e3c4b9b34603deb9a2ce5 |
| SHA1 | d1ccc1bfe204d02e40df83ffa93ea5fea0329e5b |
| SHA256 | ee68403b53250dc6eba949040dc2986b6b593cc85d37aa06327391140ac826bb |
| SHA512 | df60a438b7267d8d42e142c448a22e1a4a94b425eb0fc1a012c2efe421bb68bcad41f7cdb65cb9f373a4268bdfb6988c292b74cb8c3ddc21ba338c6234c123c7 |
\Windows\SysWOW64\omsecor.exe
| MD5 | b54cfb764d8858793488e1e246290740 |
| SHA1 | 7bd3b3a773bd29d35e8c53f6d10584fdbce703f7 |
| SHA256 | 1a986ea0d84a28bbaa0fb8db8dfedf04efc9d1daaffff66d6e63880d43c91286 |
| SHA512 | aed54a588eb9b62550c62f10e6fbf488039e53afddb2c2b0d83c7877d1897f22af24dcc849559d46521600e0bfb163d5eb0f60594eeebdc7ae334452ec3a5249 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 9cdb97ab39663874071d242b707238b5 |
| SHA1 | a3d91e96da88d523721ee4e3b2426b7579aaf72d |
| SHA256 | d72606c506264a4718592be91f916ebd276de31cb9c7efa7eedec5a97fbe4bb6 |
| SHA512 | 9c55f995fca4e98d734d4d63297a6404bc607933e72e0d598b92d83583e314b5820291f610dce8133fc78c38c9183f0b4dc1197ae8083661542cbeb25805053f |