Malware Analysis Report

2024-11-16 12:57

Sample ID 240815-wg8mbaverc
Target 9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118
SHA256 6c282fde0bddf7c24f53584131366d52f39cc29ed5aed3017be731420089303d
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c282fde0bddf7c24f53584131366d52f39cc29ed5aed3017be731420089303d

Threat Level: Known bad

The file 9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 17:54

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 17:54

Reported

2024-08-15 17:57

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 bc5e482a034e3c4b9b34603deb9a2ce5
SHA1 d1ccc1bfe204d02e40df83ffa93ea5fea0329e5b
SHA256 ee68403b53250dc6eba949040dc2986b6b593cc85d37aa06327391140ac826bb
SHA512 df60a438b7267d8d42e142c448a22e1a4a94b425eb0fc1a012c2efe421bb68bcad41f7cdb65cb9f373a4268bdfb6988c292b74cb8c3ddc21ba338c6234c123c7

C:\Windows\SysWOW64\omsecor.exe

MD5 55c3cb09be31ad26c5c9cc5f86b434ae
SHA1 82b45fcd214a8e4399a44a2f39d877518c190521
SHA256 f5b3ba3aff07d16ca4a02a849c4400fff51f119f51e2f36e947f2477bcd481a8
SHA512 67be1b767b03b5f0962e1fe6a7e134ce5c74f5357f57d11ae63eb461a58559339082c5d19f285828936e06578ec7a3c81c25b6360e2fd7c7eabf021d7fb9d3ab

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 cbe83bbbd12a97cfca6a78fde3fa5815
SHA1 4214d9d35563330d901a50344bcdfb9d29ca8ecd
SHA256 8f0d8f3597ac3bd259789e66a8c5b8d16ce8de25dc1284d2d5659465ae1912cd
SHA512 0fc6524a0bd998ec72e04adf9774de1d4689cc8a52900e5e38c14d7a459e120c3d5cd67eaf775d4ec730ef53c061c4820ef60ea30d8fef5813d8be4cdc57e766

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 17:54

Reported

2024-08-15 17:57

Platform

win7-20240704-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2364 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2364 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2364 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2368 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2368 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2368 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2368 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1472 wrote to memory of 2800 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1472 wrote to memory of 2800 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1472 wrote to memory of 2800 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1472 wrote to memory of 2800 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9b090cd59e0bcc3b2b9c1e759b808fe1_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 bc5e482a034e3c4b9b34603deb9a2ce5
SHA1 d1ccc1bfe204d02e40df83ffa93ea5fea0329e5b
SHA256 ee68403b53250dc6eba949040dc2986b6b593cc85d37aa06327391140ac826bb
SHA512 df60a438b7267d8d42e142c448a22e1a4a94b425eb0fc1a012c2efe421bb68bcad41f7cdb65cb9f373a4268bdfb6988c292b74cb8c3ddc21ba338c6234c123c7

\Windows\SysWOW64\omsecor.exe

MD5 b54cfb764d8858793488e1e246290740
SHA1 7bd3b3a773bd29d35e8c53f6d10584fdbce703f7
SHA256 1a986ea0d84a28bbaa0fb8db8dfedf04efc9d1daaffff66d6e63880d43c91286
SHA512 aed54a588eb9b62550c62f10e6fbf488039e53afddb2c2b0d83c7877d1897f22af24dcc849559d46521600e0bfb163d5eb0f60594eeebdc7ae334452ec3a5249

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 9cdb97ab39663874071d242b707238b5
SHA1 a3d91e96da88d523721ee4e3b2426b7579aaf72d
SHA256 d72606c506264a4718592be91f916ebd276de31cb9c7efa7eedec5a97fbe4bb6
SHA512 9c55f995fca4e98d734d4d63297a6404bc607933e72e0d598b92d83583e314b5820291f610dce8133fc78c38c9183f0b4dc1197ae8083661542cbeb25805053f