Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18/12/2024, 20:26
Behavioral task
behavioral1
Sample
fcfeb20e420471971457ba0b64e0b55b_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
fcfeb20e420471971457ba0b64e0b55b_JaffaCakes118.exe
-
Size
63KB
-
MD5
fcfeb20e420471971457ba0b64e0b55b
-
SHA1
6d601d4939f0fcbb33add732bd232d9051764edb
-
SHA256
c563c39bb2f300dc9dfa5c0b2fc266072a5c96ffc6f56b92df9d2f2dbd702868
-
SHA512
869d3c30ca03bc2abb4b459673fc762149e6bf3fb0c4be858a63d16b92d4fa1c56891cd39a3d812120a309f9ebe76d182ec75c7942ba10a8396e3cf2b96c20fe
-
SSDEEP
768:vMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:vbIvYvZEyFKF6N4yS+AQmZTl/5O
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 912 omsecor.exe 1784 omsecor.exe 2108 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2104 fcfeb20e420471971457ba0b64e0b55b_JaffaCakes118.exe 2104 fcfeb20e420471971457ba0b64e0b55b_JaffaCakes118.exe 912 omsecor.exe 912 omsecor.exe 1784 omsecor.exe 1784 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fcfeb20e420471971457ba0b64e0b55b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2104 wrote to memory of 912 2104 fcfeb20e420471971457ba0b64e0b55b_JaffaCakes118.exe 30 PID 2104 wrote to memory of 912 2104 fcfeb20e420471971457ba0b64e0b55b_JaffaCakes118.exe 30 PID 2104 wrote to memory of 912 2104 fcfeb20e420471971457ba0b64e0b55b_JaffaCakes118.exe 30 PID 2104 wrote to memory of 912 2104 fcfeb20e420471971457ba0b64e0b55b_JaffaCakes118.exe 30 PID 912 wrote to memory of 1784 912 omsecor.exe 32 PID 912 wrote to memory of 1784 912 omsecor.exe 32 PID 912 wrote to memory of 1784 912 omsecor.exe 32 PID 912 wrote to memory of 1784 912 omsecor.exe 32 PID 1784 wrote to memory of 2108 1784 omsecor.exe 33 PID 1784 wrote to memory of 2108 1784 omsecor.exe 33 PID 1784 wrote to memory of 2108 1784 omsecor.exe 33 PID 1784 wrote to memory of 2108 1784 omsecor.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcfeb20e420471971457ba0b64e0b55b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fcfeb20e420471971457ba0b64e0b55b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2108
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD5e0a27cf3e511ae6e91d09bc414731769
SHA16fdbc766c793529ad42e371c743c832fb5d7c14b
SHA256768a06cb7d2941550f1d8507d4e8945b685ca6ee6a4efa1729a35c1d0d958a1d
SHA51221658fb94ab6b67b067cbd9b657ff1d69a185701dd5472781712486d1d23d90398ff49bcb6529e4baa7faeaac023952e21125aac50bc20bd2c46448d047916b7
-
Filesize
63KB
MD5ec343649e585565ce14f16103a79202c
SHA19e99f2ce3230cede79305e24c67282e832fe2f7d
SHA256a56694459cb6b4f685d8d5a73ee3939967a0ceecc9ce9269043bccf1db3f6173
SHA51204f62799093377aaf76052624f917843b0362c5b4d3cc1d375fa4b4a5eae64c3d307ae086c737d9a9902119a02252cf0c37e5bef30f53bdd78b6745feab295f0
-
Filesize
63KB
MD5542d7275032febc802f22cd1cda75fde
SHA1f959e663d6380e8ea8252c94d432e5d65fb1264b
SHA2569f0dc952931d83b487188059e6eff66e41ea4af0135037417223bb9b7c87bb63
SHA5120488ec29784835b2831fe8596786bb14fca91e3246f7898d138c07a778c0991c6ccd3deff9c3ed1e9dff565222680dcd737331de5cd9196a76bc507aba88ba93