neconyd | ef5315a288a29fadc0b5a9832641492f8cd9a8b99279a133faef3d22bee9b8de

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28/11/2024, 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aca1443b1acfdd03ddb28221b5b9de28_JaffaCakes118.exe
Size

128KB
MD5

aca1443b1acfdd03ddb28221b5b9de28
SHA1

1570e650764203e0f9775b3a5c0f5876f1501697
SHA256

ef5315a288a29fadc0b5a9832641492f8cd9a8b99279a133faef3d22bee9b8de
SHA512

a90aa5da8b9d7677749b25d0c93e8b6b3ad2722135cb946ba16be5ebb00a85b1c5f3da086f66780d914507f4cac4eabbbdbce1bd0a06c08491440e4e413c2983
SSDEEP

1536:HDfDbhERTatPLTLLbC+8BMNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabau:jiRTe3n8BMAW6J6f1tqF6dngNmaZrN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
2980	omsecor.exe
2184	omsecor.exe
548	omsecor.exe
3044	omsecor.exe
1264	omsecor.exe
1676	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
3068	aca1443b1acfdd03ddb28221b5b9de28_JaffaCakes118.exe
3068	aca1443b1acfdd03ddb28221b5b9de28_JaffaCakes118.exe
2980	omsecor.exe
2184	omsecor.exe
2184	omsecor.exe
3044	omsecor.exe
3044	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1552 set thread context of 3068	1552	aca1443b1acfdd03ddb28221b5b9de28_JaffaCakes118.exe	30
PID 2980 set thread context of 2184	2980	omsecor.exe	32
PID 548 set thread context of 3044	548	omsecor.exe	35
PID 1264 set thread context of 1676	1264	omsecor.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aca1443b1acfdd03ddb28221b5b9de28_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aca1443b1acfdd03ddb28221b5b9de28_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 3068	1552	aca1443b1acfdd03ddb28221b5b9de28_JaffaCakes118.exe	30
PID 1552 wrote to memory of 3068	1552	aca1443b1acfdd03ddb28221b5b9de28_JaffaCakes118.exe	30
PID 1552 wrote to memory of 3068	1552	aca1443b1acfdd03ddb28221b5b9de28_JaffaCakes118.exe	30
PID 1552 wrote to memory of 3068	1552	aca1443b1acfdd03ddb28221b5b9de28_JaffaCakes118.exe	30
PID 1552 wrote to memory of 3068	1552	aca1443b1acfdd03ddb28221b5b9de28_JaffaCakes118.exe	30
PID 1552 wrote to memory of 3068	1552	aca1443b1acfdd03ddb28221b5b9de28_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2980	3068	aca1443b1acfdd03ddb28221b5b9de28_JaffaCakes118.exe	31
PID 3068 wrote to memory of 2980	3068	aca1443b1acfdd03ddb28221b5b9de28_JaffaCakes118.exe	31
PID 3068 wrote to memory of 2980	3068	aca1443b1acfdd03ddb28221b5b9de28_JaffaCakes118.exe	31
PID 3068 wrote to memory of 2980	3068	aca1443b1acfdd03ddb28221b5b9de28_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2184	2980	omsecor.exe	32
PID 2980 wrote to memory of 2184	2980	omsecor.exe	32
PID 2980 wrote to memory of 2184	2980	omsecor.exe	32
PID 2980 wrote to memory of 2184	2980	omsecor.exe	32
PID 2980 wrote to memory of 2184	2980	omsecor.exe	32
PID 2980 wrote to memory of 2184	2980	omsecor.exe	32
PID 2184 wrote to memory of 548	2184	omsecor.exe	34
PID 2184 wrote to memory of 548	2184	omsecor.exe	34
PID 2184 wrote to memory of 548	2184	omsecor.exe	34
PID 2184 wrote to memory of 548	2184	omsecor.exe	34
PID 548 wrote to memory of 3044	548	omsecor.exe	35
PID 548 wrote to memory of 3044	548	omsecor.exe	35
PID 548 wrote to memory of 3044	548	omsecor.exe	35
PID 548 wrote to memory of 3044	548	omsecor.exe	35
PID 548 wrote to memory of 3044	548	omsecor.exe	35
PID 548 wrote to memory of 3044	548	omsecor.exe	35
PID 3044 wrote to memory of 1264	3044	omsecor.exe	36
PID 3044 wrote to memory of 1264	3044	omsecor.exe	36
PID 3044 wrote to memory of 1264	3044	omsecor.exe	36
PID 3044 wrote to memory of 1264	3044	omsecor.exe	36
PID 1264 wrote to memory of 1676	1264	omsecor.exe	37
PID 1264 wrote to memory of 1676	1264	omsecor.exe	37
PID 1264 wrote to memory of 1676	1264	omsecor.exe	37
PID 1264 wrote to memory of 1676	1264	omsecor.exe	37
PID 1264 wrote to memory of 1676	1264	omsecor.exe	37
PID 1264 wrote to memory of 1676	1264	omsecor.exe	37

C:\Users\Admin\AppData\Local\Temp\aca1443b1acfdd03ddb28221b5b9de28_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aca1443b1acfdd03ddb28221b5b9de28_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\aca1443b1acfdd03ddb28221b5b9de28_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\aca1443b1acfdd03ddb28221b5b9de28_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:548
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
b6534a16035959f7663470aaaf306dfe

SHA1
0bd95c9e2b17f89753eb93993ef6e0321f6874d0

SHA256
427e80b0773d666fb86a2058dc1234e4eee81774c20ac5dab4db1aaf14c4672b

SHA512
27b09731e3323559444c9646c5a04c064d80b9198956064760167189ac129163ae3a10f4eed47224923c716da9906e1b4ecdfda6e3a29cbfc718179ab5ee2a9f

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
128KB

MD5
2659ac4966ad850b5f7d9d99f655ae74

SHA1
8ecb08a5a3fccea42b75ea1f5790ed9e5e964d67

SHA256
80cd84ffb28ccf99bc93de0e456d4e07dc6b2553772b1257be59e46bf829e77c

SHA512
0ad934ad061bcfe759d1f90beda843dbdfa5eae9a35fd1b2bc7302419bdf13391407863158c3ad526db9af66d471d6296b40063a324c9fad1a68d2fe5d9eb2a4

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
c39822d4f341081460ea05ece8ea3d9c

SHA1
9222b43a7a62860f1e876340e133dcd3b60325ac

SHA256
77e31247b708bc5b751fa15ba3f024ab3e43c56d2845146ddd4d5d1784a56556

SHA512
29394cca6220cdd367a9369d4c9b619d2ec33abeb1628446e565cfe096a7be4d515f72e486e69d6c514ce7da26e91bcac0eedc8f5fa26b2d635dee6e3bbf0c4b

Download Submit
memory/1676-77-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1676-74-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2184-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-4-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3068-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download