netsupport | 70eec4200fcff6dd024ad3e623e97381165fca6a1c4aaf6dd63c995af5444d23

General

Target

JaffaCakes118_70eec4200fcff6dd024ad3e623e97381165fca6a1c4aaf6dd63c995af5444d23.exe
Size

881.3MB
MD5

584a88693e0f36323f641939df4fd568
SHA1

cdcfa20be885a908c7e63c203240c7073899780f
SHA256

70eec4200fcff6dd024ad3e623e97381165fca6a1c4aaf6dd63c995af5444d23
SHA512

ff79a9276782a262039fc885dd3c677a7a6f99f7f5d0dfe2f509267811fcd94dfa7c9281c13a1b5111a4fa305f953831d9d9dba1e9dad7ce9ade29d707ca669e
SSDEEP

49152:aGzhmoSjcFNMcbm0dLovfFYvx7WA+0b7Gsr04TSfZeU69PX8hm50gpdnLosp:aG9mVSysLWFmLGR9fAUo0gpdnLosp

Score

10^/10

netsupport discovery rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunns.ini.lnk	JaffaCakes118_70eec4200fcff6dd024ad3e623e97381165fca6a1c4aaf6dd63c995af5444d23.exe

Executes dropped EXE 1 IoCs

pid	Process
2072	client32.exe

Loads dropped DLL 6 IoCs

pid	Process
2416	JaffaCakes118_70eec4200fcff6dd024ad3e623e97381165fca6a1c4aaf6dd63c995af5444d23.exe
2072	client32.exe
2072	client32.exe
2072	client32.exe
2072	client32.exe
2072	client32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_70eec4200fcff6dd024ad3e623e97381165fca6a1c4aaf6dd63c995af5444d23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2072	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2072	client32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2072	2416	JaffaCakes118_70eec4200fcff6dd024ad3e623e97381165fca6a1c4aaf6dd63c995af5444d23.exe	31
PID 2416 wrote to memory of 2072	2416	JaffaCakes118_70eec4200fcff6dd024ad3e623e97381165fca6a1c4aaf6dd63c995af5444d23.exe	31
PID 2416 wrote to memory of 2072	2416	JaffaCakes118_70eec4200fcff6dd024ad3e623e97381165fca6a1c4aaf6dd63c995af5444d23.exe	31
PID 2416 wrote to memory of 2072	2416	JaffaCakes118_70eec4200fcff6dd024ad3e623e97381165fca6a1c4aaf6dd63c995af5444d23.exe	31
PID 2416 wrote to memory of 2072	2416	JaffaCakes118_70eec4200fcff6dd024ad3e623e97381165fca6a1c4aaf6dd63c995af5444d23.exe	31
PID 2416 wrote to memory of 2072	2416	JaffaCakes118_70eec4200fcff6dd024ad3e623e97381165fca6a1c4aaf6dd63c995af5444d23.exe	31
PID 2416 wrote to memory of 2072	2416	JaffaCakes118_70eec4200fcff6dd024ad3e623e97381165fca6a1c4aaf6dd63c995af5444d23.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70eec4200fcff6dd024ad3e623e97381165fca6a1c4aaf6dd63c995af5444d23.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70eec4200fcff6dd024ad3e623e97381165fca6a1c4aaf6dd63c995af5444d23.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Roaming\SupportWinUp\client32.exe
  "C:\Users\Admin\AppData\Roaming\SupportWinUp\client32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2072

Network

DNS

Aeriarnwly14.com

client32.exe

Remote address:

8.8.8.8:53

Request

Aeriarnwly14.com

IN A

Response
DNS

Aeriarnwly14.com

client32.exe

Remote address:

8.8.8.8:53

Request

Aeriarnwly14.com

IN A
DNS

Aeriarnwly15.com

client32.exe

Remote address:

8.8.8.8:53

Request

Aeriarnwly15.com

IN A

Response
DNS

geo.netsupportsoftware.com

client32.exe

Remote address:

8.8.8.8:53

Request

geo.netsupportsoftware.com

IN A

Response

geo.netsupportsoftware.com

IN A

104.26.0.231

geo.netsupportsoftware.com

IN A

104.26.1.231

geo.netsupportsoftware.com

IN A

172.67.68.212
GET

http://geo.netsupportsoftware.com/location/loca.asp

client32.exe

Remote address:

104.26.0.231:80

Request

GET /location/loca.asp HTTP/1.1
Host: geo.netsupportsoftware.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Sun, 22 Dec 2024 07:00:25 GMT
Content-Type: text/html; charset=us-ascii
Transfer-Encoding: chunked
Connection: keep-alive
CF-Ray: 8f5e3c1d7979ef17-LHR
CF-Cache-Status: DYNAMIC
cf-apo-via: origin,host
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tPfk4qO%2BRmAUb5pm%2BPNAoVcrh4I6Svwm1qnEa2kHQeNpwrdrIC1yGrA68Kn1kO2uNIMl8iEoipO3C0RAuUlr1hkGXh4BmUUKP09rSSeMlXjwhPfmlcHN4i3UlF54XQkkUtlpokfzB3i7emHy"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
server-timing: cfL4;desc="?proto=TCP&rtt=47122&min_rtt=47122&rtt_var=23561&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://geo.netsupportsoftware.com/location/loca.asp

client32.exe

Remote address:

104.26.0.231:80

Request

GET /location/loca.asp HTTP/1.1
Host: geo.netsupportsoftware.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Sun, 22 Dec 2024 07:00:26 GMT
Content-Type: text/html; charset=us-ascii
Transfer-Encoding: chunked
Connection: keep-alive
CF-Ray: 8f5e3c20cd8feefd-LHR
CF-Cache-Status: DYNAMIC
cf-apo-via: origin,host
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d6EVQ2hBHYJuVbvxp%2B4I5B7vsbY9Q0armGHCaFfD9dxjjYF1fdLbhTPX1lWUMCFebwxMEXWRy%2F6eLRQj%2Fx%2BlyW%2BHZk1O9hi8Fn2jHZIP0Hil0h4WkSO8xsjl0xcRy8Nn0a0YuXQOoRhPzFBN"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
server-timing: cfL4;desc="?proto=TCP&rtt=421248&min_rtt=421248&rtt_var=210624&sent=1&recv=2&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
GET

http://geo.netsupportsoftware.com/location/loca.asp

client32.exe

Remote address:

104.26.0.231:80

Request

GET /location/loca.asp HTTP/1.1
Host: geo.netsupportsoftware.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Sun, 22 Dec 2024 07:00:26 GMT
Content-Type: text/html; charset=us-ascii
Transfer-Encoding: chunked
Connection: keep-alive
CF-Ray: 8f5e3c21d90793f8-LHR
CF-Cache-Status: DYNAMIC
cf-apo-via: origin,host
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EBVz3fpyYm3p%2FchbzKX17b1PMHsnkLltMljpRC7ndIf4dsNofWw3CqPAbK2mIpbQrLgpuR4jz4bKxANLGY6y7nGBafJ4mnpVDtSzXDGja7pF%2Brr5iEoyXOJnHNW4Txn2rCVpc%2FUK2HMTEl6i"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
server-timing: cfL4;desc="?proto=TCP&rtt=47789&min_rtt=47789&rtt_var=23894&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"

104.26.0.231:80

http://geo.netsupportsoftware.com/location/loca.asp

http

client32.exe

446 B
1.3kB
7
4

HTTP Request

GET http://geo.netsupportsoftware.com/location/loca.asp

HTTP Response

404
104.26.0.231:80

http://geo.netsupportsoftware.com/location/loca.asp

http

client32.exe

594 B
1.3kB
8
5

HTTP Request

GET http://geo.netsupportsoftware.com/location/loca.asp

HTTP Response

404
104.26.0.231:80

http://geo.netsupportsoftware.com/location/loca.asp

http

client32.exe

394 B
1.3kB
6
4

HTTP Request

GET http://geo.netsupportsoftware.com/location/loca.asp

HTTP Response

404

8.8.8.8:53

Aeriarnwly14.com

dns

client32.exe

124 B
135 B
2
1

DNS Request

Aeriarnwly14.com

DNS Request

Aeriarnwly14.com
8.8.8.8:53

Aeriarnwly15.com

dns

client32.exe

62 B
135 B
1
1

DNS Request

Aeriarnwly15.com
8.8.8.8:53

geo.netsupportsoftware.com

dns

client32.exe

72 B
120 B
1
1

DNS Request

geo.netsupportsoftware.com

DNS Response

104.26.0.231

104.26.1.231

172.67.68.212

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SupportWinUp\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\Users\Admin\AppData\Roaming\SupportWinUp\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\SupportWinUp\NSM.LIC

Filesize
261B

MD5
a5090670b2a33d3172d86a5e37d8eb1f

SHA1
2cc5ac0a5998ceef432f761e838fc1dcea95844d

SHA256
79cdc33dc604d8e5dfa3a03031235e4cf3dcf96563ee9dab52e41d91572ba2d9

SHA512
70926685c88ad3f821170a21f5f034ec340af4b00d5b320b47444424ca44cf61acc196026bf945173bc08c94ade2a7f096b291fc82f6f73f457ecb56ab76e66e

Download Submit
C:\Users\Admin\AppData\Roaming\SupportWinUp\PCICL32.dll

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\Users\Admin\AppData\Roaming\SupportWinUp\client32.exe

Filesize
109KB

MD5
b2b27ccaded1db8ee341d5bd2c373044

SHA1
1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d

SHA256
e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911

SHA512
0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1

Download Submit
C:\Users\Admin\AppData\Roaming\SupportWinUp\client32.ini

Filesize
922B

MD5
dffa0231dc24306b8e3b2bd039626008

SHA1
045dfb40f236346bd81a3c4b066380e5836d210b

SHA256
e6ebb4737718713aa429816324aa74dad33cd714ad120cf06f56398dfae42a49

SHA512
28ad197d81f8c45dd211960e0a897ce1d99fdeff4a6f5f6f97933bb7aa7761e2827856d65be9197509bf1d853448e6fa5f1babbf9b067c9a5b75c49dfb5d2828

Download Submit
C:\Users\Admin\AppData\Roaming\SupportWinUp\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
C:\Users\Admin\AppData\Roaming\SupportWinUp\pcichek.dll

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.