netsupport | 1a40bf1f968914d05372bb2b5c6171c521877a4b7fb1d905f56ba7be8b6fb6b5 | Triage

Submit
Reports

Overview

overview

Static

static

7

JaffaCakes...b5.exe

windows7-x64

JaffaCakes...b5.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_1a40bf1f968914d05372bb2b5c6171c521877a4b7fb1d905f56ba7be8b6fb6b5
Size

716.8MB
Sample

241225-vmfm2szmfj
MD5

a00e163b017e029f435fbc99ecbe6221
SHA1

d6815cf9531fdb72c56c6927bab36ca664bf9f53
SHA256

1a40bf1f968914d05372bb2b5c6171c521877a4b7fb1d905f56ba7be8b6fb6b5
SHA512

221981cf9115f3965dddcf4a2ce6484b795769803a8744162d78708bd0c60281d508373393c15719157ebf9293ff2dd122bd934d618ee99008b98f73c0b014a9
SSDEEP

196608:w3CGwnZGrra8DNclfWLV9+TzXTmM1rYx8bu:w3CGwnIn3NclfKVuN8wu

Score

10^/10

netsupport discovery evasion rat themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_1a40bf1f968914d05372bb2b5c6171c521877a4b7fb1d905f56ba7be8b6fb6b5.exe

Resource

win7-20241010-en

netsupport discovery evasion rat themida trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_1a40bf1f968914d05372bb2b5c6171c521877a4b7fb1d905f56ba7be8b6fb6b5.exe

Resource

win10v2004-20241007-en

netsupport discovery evasion rat themida trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  JaffaCakes118_1a40bf1f968914d05372bb2b5c6171c521877a4b7fb1d905f56ba7be8b6fb6b5
- Size
  
  716.8MB
- MD5
  
  a00e163b017e029f435fbc99ecbe6221
- SHA1
  
  d6815cf9531fdb72c56c6927bab36ca664bf9f53
- SHA256
  
  1a40bf1f968914d05372bb2b5c6171c521877a4b7fb1d905f56ba7be8b6fb6b5
- SHA512
  
  221981cf9115f3965dddcf4a2ce6484b795769803a8744162d78708bd0c60281d508373393c15719157ebf9293ff2dd122bd934d618ee99008b98f73c0b014a9
- SSDEEP
  
  196608:w3CGwnZGrra8DNclfWLV9+TzXTmM1rYx8bu:w3CGwnIn3NclfKVuN8wu
Score

10^/10

netsupport discovery evasion rat themida trojan
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Netsupport family
  netsupport
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netsupportdiscoveryevasionratthemidatrojan

behavioral2

netsupportdiscoveryevasionratthemidatrojan

© 2018-2024

Terms | Privacy