netsupport | d0b4b43432238e361c9f553caa05df5c34c462d55bb18a6db5e076faaaf05da9

Analysis

max time kernel
140s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe
Size

5.6MB
MD5

3e263a24122e03e6793a491bfda7942a
SHA1

cdf6e4849974c1fbd5d3075fcce91eea4f58dac1
SHA256

d0b4b43432238e361c9f553caa05df5c34c462d55bb18a6db5e076faaaf05da9
SHA512

e68e2744030ba73e40411c12fe3b0e1a3b965249f8f1b3564833c3f3d2e8f90d2725e105a9c742bfb3dc2ad13ec2a1a38fefdb07badbcda84dcc3cdc067981b9
SSDEEP

98304:v/rXIHsZBxIj0Hnk/mA5P/BINhs1DUUmEiqeWTGnuHnJTvGQUd6kt:MHoIP5P/GNyioyup6Qzk

Score

10^/10

netsupport discovery rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2648	cmd.exe

Executes dropped EXE 5 IoCs

Processes:

Plib.exePlotManage.exePlib.tmpsvschost.exeWCL.exe

pid	Process
2900	Plib.exe
2628	PlotManage.exe
2024	Plib.tmp
1844	svschost.exe
1860	WCL.exe

Loads dropped DLL 10 IoCs

Processes:

Plib.exePlib.tmpsvschost.exe

pid	Process
2900	Plib.exe
2024	Plib.tmp
2024	Plib.tmp
2024	Plib.tmp
2024	Plib.tmp
1844	svschost.exe
1844	svschost.exe
1844	svschost.exe
1844	svschost.exe
1844	svschost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Plib.exePlotManage.exePlib.tmpsvschost.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PlotManage.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plib.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svschost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Plib.tmp

pid	Process
2024	Plib.tmp
2024	Plib.tmp

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exesvschost.exePlotManage.exe

description	pid	Process
Token: SeDebugPrivilege	2724	3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe
Token: SeSecurityPrivilege	1844	svschost.exe
Token: SeDebugPrivilege	2628	PlotManage.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Plib.tmpsvschost.exe

pid	Process
2024	Plib.tmp
1844	svschost.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

3e263a24122e03e6793a491bfda7942a_JaffaCakes118.execmd.exePlib.exePlib.tmpWCL.exe

description	pid	Process	procid_target
PID 2724 wrote to memory of 2900	2724	3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe	31
PID 2724 wrote to memory of 2900	2724	3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe	31
PID 2724 wrote to memory of 2900	2724	3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe	31
PID 2724 wrote to memory of 2900	2724	3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe	31
PID 2724 wrote to memory of 2900	2724	3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe	31
PID 2724 wrote to memory of 2900	2724	3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe	31
PID 2724 wrote to memory of 2900	2724	3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe	31
PID 2724 wrote to memory of 2628	2724	3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe	32
PID 2724 wrote to memory of 2628	2724	3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe	32
PID 2724 wrote to memory of 2628	2724	3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe	32
PID 2724 wrote to memory of 2628	2724	3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe	32
PID 2724 wrote to memory of 2648	2724	3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe	33
PID 2724 wrote to memory of 2648	2724	3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe	33
PID 2724 wrote to memory of 2648	2724	3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe	33
PID 2648 wrote to memory of 472	2648	cmd.exe	36
PID 2648 wrote to memory of 472	2648	cmd.exe	36
PID 2648 wrote to memory of 472	2648	cmd.exe	36
PID 2900 wrote to memory of 2024	2900	Plib.exe	35
PID 2900 wrote to memory of 2024	2900	Plib.exe	35
PID 2900 wrote to memory of 2024	2900	Plib.exe	35
PID 2900 wrote to memory of 2024	2900	Plib.exe	35
PID 2900 wrote to memory of 2024	2900	Plib.exe	35
PID 2900 wrote to memory of 2024	2900	Plib.exe	35
PID 2900 wrote to memory of 2024	2900	Plib.exe	35
PID 2024 wrote to memory of 1860	2024	Plib.tmp	37
PID 2024 wrote to memory of 1860	2024	Plib.tmp	37
PID 2024 wrote to memory of 1860	2024	Plib.tmp	37
PID 2024 wrote to memory of 1860	2024	Plib.tmp	37
PID 2024 wrote to memory of 1844	2024	Plib.tmp	38
PID 2024 wrote to memory of 1844	2024	Plib.tmp	38
PID 2024 wrote to memory of 1844	2024	Plib.tmp	38
PID 2024 wrote to memory of 1844	2024	Plib.tmp	38
PID 1860 wrote to memory of 2352	1860	WCL.exe	42
PID 1860 wrote to memory of 2352	1860	WCL.exe	42
PID 1860 wrote to memory of 2352	1860	WCL.exe	42

C:\Users\Admin\AppData\Local\Temp\3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Plib.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Plib.exe" /VERYSILENT /SP-
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\is-2FC8O.tmp\Plib.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-2FC8O.tmp\Plib.tmp" /SL5="$80218,2331902,780800,C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Plib.exe" /VERYSILENT /SP-
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Users\Admin\AppData\Roaming\WinSpo\WCL.exe
      "C:\Users\Admin\AppData\Roaming\WinSpo\WCL.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1860
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1860 -s 604
        5⤵
        
        PID:2352
  - - C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe
      "C:\Users\Admin\AppData\Roaming\WinSpo\svschost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1844
- C:\Users\Admin\AppData\Local\Temp\PlotManage.exe
  "C:\Users\Admin\AppData\Local\Temp\PlotManage.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 &Del "3e263a24122e03e6793a491bfda7942a_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 1
    3⤵
    PID:472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Plib.exe

Filesize
3.0MB

MD5
725506d889dc290b57abee789f86d09e

SHA1
6239c0862a57a4a1859099a1fc6e70c52f3ee80e

SHA256
b61c57ff173e99dc83c2b4c300072d2b98f86271202ec05f5c94fbf218839507

SHA512
63a9f5a3f2f5d996a729cb0863ecf73aab4da047ef297483809113e367151974f8c27f958cd3ae867a179b2cdd4ecb6e4554fa649a395444d5f6226f5bf0ca4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PlotManage.exe

Filesize
3.2MB

MD5
6cf6e85c530e2f6d6e28aa066b19c29b

SHA1
679cd8304321ab4615793fa24449163fa044fe28

SHA256
760dbaef1a097bda49db17342e2bf27c334e3358a515dd53445b55cb01629a31

SHA512
08ba349dbba2fc7d0117d3422a66505c166b82b8f3ceff78e7ff1799f6cba1a71a275ea8d7ac9d326cd88528124f5820c7abc3ce01d48828394ad5b9276fbd8b

Download Submit
C:\Users\Admin\AppData\Roaming\WinDPD\is-1R710.tmp

Filesize
31KB

MD5
191bd0cc859e47aaa7c5195f58f56d4e

SHA1
c2d91b7688ab3d4fbc08dc8df895323ca2c47460

SHA256
3d30caf999bbd1c39b681f4782c2f703c02b9956c4a77d7d531e20ca02ffaa29

SHA512
9c876afdc1b3cab2c01d1d369d6c532edc4377876ed95f324e0e638860852d41052796a16f7314ef922bb7ff6edb9f3687f6edfb342b6524951906340c614b08

Download Submit
C:\Users\Admin\AppData\Roaming\WinDPD\is-24870.tmp

Filesize
46B

MD5
3be27483fdcdbf9ebae93234785235e3

SHA1
360b61fe19cdc1afb2b34d8c25d8b88a4c843a82

SHA256
4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b

SHA512
edbe8cf1cbc5fed80fedf963ade44e08052b19c064e8bca66fa0fe1b332141fbe175b8b727f8f56978d1584baaf27d331947c0b3593aaff5632756199dc470e5

Download Submit
C:\Users\Admin\AppData\Roaming\WinDPD\is-2R1PQ.tmp

Filesize
90KB

MD5
02b71d7f1eff7aa74b19969b4d2741b9

SHA1
8d625c3932b12859268149fa936ee6f607d03a65

SHA256
1774899128785abd6015c995316ea2adf26caaaf51825c290b1caf39ad91f5a7

SHA512
9092fec5f21f83bf4973d001662e73547c1b4b1cec0a1e55242ddfdca62706b885bb22f0d02b287c9e09641fbe6812cabfe16aa6d881705648cc847856522257

Download Submit
C:\Users\Admin\AppData\Roaming\WinDPD\is-2UL5J.tmp

Filesize
85KB

MD5
08b0d2ee1c48e37aa2560cb5c1a327e0

SHA1
ea22db9932ba94b3775d3f3c5b07d451ab6105b1

SHA256
a199c6653726ba9e0cb9178af9691926c08667d451a3154b5966b2f22c24a64e

SHA512
785cb3a9ef2cce6afcc86f4d5205c14114040e89c4a9d6091dd9135be69fb62f58c1a0dc0657361c3c5bb3b1d94bf7a019c37fe20c2e53cf7814952fd43d9a67

Download Submit
C:\Users\Admin\AppData\Roaming\WinDPD\is-2VNJB.tmp

Filesize
59KB

MD5
1239f15c699caece7ae3b5d2d5cbe312

SHA1
3655b2fb3b1f94f2ca670c397d2b1d3b3f44c47e

SHA256
545e90e66968c26722b23a4cd67d1039027b60fc33a33d669a6de73dd5e6a0af

SHA512
ad0b98ce5633f8d42ead9719420481e9cb0ea0ee6bd38f660261e180425befd4bd7e7acace466c1e15e277b4d48274d0b480a92709529ae901f50e1a77a2f236

Download Submit
C:\Users\Admin\AppData\Roaming\WinDPD\is-7A696.tmp

Filesize
706B

MD5
812452fb7d6044657f21868f8b046ec8

SHA1
2a3d0cfa5ef48c687ed42c101c3466b8104379bf

SHA256
3a0fcc3de6f38f43bc68c3f7733470c5ae0ba7e44231f381a555c26f72cded2d

SHA512
ff72c6f6e830a34bcb84f44030568b709b422868d93a7ad0c12a2da1d7e1fdee6e048e23b90d87a0d98383d3964ab71d28db98f58ad381c93c06682ae1b4ec36

Download Submit
C:\Users\Admin\AppData\Roaming\WinDPD\is-7U9T6.tmp

Filesize
386KB

MD5
4ae68042d513cba160cdaafe45d35582

SHA1
9a07ebd26fab57947b20647ac6ca0019475ffb44

SHA256
cc2b02ac7ed7656e4d26574367c571dfc44d3f167838f0ee868cdb8b493b3ff4

SHA512
b78f80697ba16c33ba9ede2d2019ceb6173c8a2d335d6990b75613c1af21669f25ea8f2d0e3c56af08578d038cf3b66ca4e55ca252ad699a805598993a3d5be8

Download Submit
C:\Users\Admin\AppData\Roaming\WinDPD\is-BAGF4.tmp

Filesize
6KB

MD5
88b1dab8f4fd1ae879685995c90bd902

SHA1
3d23fb4036dc17fa4bee27e3e2a56ff49beed59d

SHA256
60fe386112ad51f40a1ee9e1b15eca802ced174d7055341c491dee06780b3f92

SHA512
4ea2c20991189fe1d6d5c700603c038406303cca594577ddcbc16ab9a7915cb4d4aa9e53093747db164f068a7ba0f568424bc8cb7682f1a3fb17e4c9ec01f047

Download Submit
C:\Users\Admin\AppData\Roaming\WinDPD\is-BVEC2.tmp

Filesize
259B

MD5
ac5d5cc9acad4531ef1bd16145ea68bd

SHA1
f9d92f79a934815b645591ebbd6f5d20aa6a3e38

SHA256
68c787616681427557343e42ede5805dfbeeb580c59f69c4706b500f225e2c6b

SHA512
196863e039e9c83fb0f8eb3f0a6119db31a624e7ef4e9ba99516702e76796957f0ebf87e8728e1bd0de6cd7420bec6e644caa58a0724a7208e9a765d6eb78f64

Download Submit
C:\Users\Admin\AppData\Roaming\WinDPD\is-CHTVA.tmp

Filesize
319KB

MD5
bf9dd864f5822dc28ffce9529bae15ba

SHA1
ee578ba78ddaf0547edd23355dbc658cdc1b86ab

SHA256
74328f7f2d08cfc734cc5151bc68377962d1e0a75137908925a604b3d18b7be6

SHA512
ea00797c9e7117452e3a7f94db016e22dad0246c439daaae304ecfb5c5de19d2db0c63ce1edd135a409f07ba75b19bd6428a7ab6d80a9dc65ff473ff985ef43e

Download Submit
C:\Users\Admin\AppData\Roaming\WinDPD\is-CKBK0.tmp

Filesize
328B

MD5
26e28c01461f7e65c402bdf09923d435

SHA1
1d9b5cfcc30436112a7e31d5e4624f52e845c573

SHA256
d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368

SHA512
c30ec66fecb0a41e91a31804be3a8b6047fc3789306adc106c723b3e5b166127766670c7da38d77d3694d99a8cddb26bc266ee21dba60a148cdf4d6ee10d27d7

Download Submit
C:\Users\Admin\AppData\Roaming\WinDPD\is-FM2S7.tmp

Filesize
759KB

MD5
7aa3e993ffef3a554ebab6532eac4075

SHA1
92b541293c63a4fb343327a1cc7708f96e7eec74

SHA256
aaf5bd6cdf7eae9d3ed153033917b3aed750d48ab11222569246db162d94b72e

SHA512
97d91945d2f90594505ce67e2ce6f9bf4cfabe7ec5a0461ac5bf82c8bd1094308c99a02d4cc25276dc9701c8109afe1f69726964f2e06dce98f005f0e8f5ec49

Download Submit
C:\Users\Admin\AppData\Roaming\WinDPD\is-K4VFH.tmp

Filesize
3.6MB

MD5
21e49d937a929db0ff9c265e8b2b6777

SHA1
88000b29bb69b3e8a29f30f0274de3e71a8b7ef7

SHA256
9b760f2aa4576d044bcd33e21943a8cbccd9c56d17d598fa509213e05f9939c1

SHA512
165664b4d3b6aa2c481665a9aed572a7445cd32052066faf7bf05340820d8afc3cf4660a344d2a06e6f3bcabbfa7923eb61c39b7367735ede0f5154f9696d1bf

Download Submit
C:\Users\Admin\AppData\Roaming\WinDPD\is-Q3T37.tmp

Filesize
17KB

MD5
018b7364f4de19d99c37665eb8555fc5

SHA1
661d32b263131f27c890a3a17e3a7f58b0035f93

SHA256
fb68bf34ae44c30267e5034d65e7d917033631f8290a17de264de5189f1c9e71

SHA512
82eb86e58894d3beed9f7efefdd9f8ece4d4d1af7d95e8751054eac18ff8eb08e6bfdd0ccf132f666b2bdd47669fdc4b1fcf4c172a4cf3f25b0464e6943489f8

Download Submit
C:\Users\Admin\AppData\Roaming\WinDPD\is-RPU0E.tmp

Filesize
6KB

MD5
0e486de290c0948cc69b74c1e1a8a8a0

SHA1
7cb150504196a8cb028f4ec23566cc0760fc72aa

SHA256
83db250a9a3ea0600dcdd18626b1069701731b99d39207822be8ccd72d311ef5

SHA512
e175d67da17523177deda8c4e77f213487956bf1783e3a2b576a6918572702343fbec7717711545410e4459aea2bd9a4a455365bba8a0d7afc07a0e47c35a250

Download Submit
\Users\Admin\AppData\Local\Temp\is-2FC8O.tmp\Plib.tmp

Filesize
2.9MB

MD5
669dc6230c96d8f4e1a831554f655427

SHA1
91e57ce09970cba73e638d60ef2faf8bd6aa39ba

SHA256
35a088a72be2d2aa9c8f2285fbcabb5893582d6bc2dd355b107da081c999db82

SHA512
4c6e4033b4287ba8efe3c1843dff0f2498e0ac53ee5993ad51a13879fb32ae65cc146cf25c1c716722c9b6b5affc6a1055939486a5ea2d46f4dfa8809b6489b8

Download Submit
memory/1860-170-0x00000000010C0000-0x00000000010C8000-memory.dmp

Filesize
32KB

Download
memory/2024-159-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2628-142-0x0000000006520000-0x0000000006CF8000-memory.dmp

Filesize
7.8MB

Download
memory/2628-175-0x0000000000300000-0x0000000000350000-memory.dmp

Filesize
320KB

Download
memory/2628-181-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/2628-180-0x00000000006E0000-0x000000000071C000-memory.dmp

Filesize
240KB

Download
memory/2628-177-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/2628-28-0x0000000000830000-0x0000000000B6A000-memory.dmp

Filesize
3.2MB

Download
memory/2628-178-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/2628-176-0x0000000000470000-0x00000000004E0000-memory.dmp

Filesize
448KB

Download
memory/2724-4-0x000000001BDF0000-0x000000001C42C000-memory.dmp

Filesize
6.2MB

Download
memory/2724-2-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-1-0x00000000010C0000-0x0000000001664000-memory.dmp

Filesize
5.6MB

Download
memory/2724-0-0x000007FEF4E83000-0x000007FEF4E84000-memory.dmp

Filesize
4KB

Download
memory/2724-3-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-22-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2900-165-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2900-16-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2900-13-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download