Overview

overview

10

Static

static

10

JaffaCakes...9b.exe

windows7-x64

10

JaffaCakes...9b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2025 18:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_5fac49ff6aad7f6a8291851580bffe9b.exe

  • Size

    4.5MB

  • MD5

    5fac49ff6aad7f6a8291851580bffe9b

  • SHA1

    dfb3036a845cc2ddaa62d3566976b2656ba44725

  • SHA256

    b855bce10c0efd4998e88e95f6bfa4a2f6088c7c5b1befadcff2bb2045f159c7

  • SHA512

    25148871e7c04f25065194b0b227219f27a49eb91f0add5e58e5a8c6f6b0e5dbfcf53e439c297f7726e90ca4523930caa0ef74406c4b0dcf1461bb1302cad876

  • SSDEEP

    24576:99Z9yn0hTZrIbAEu8CkB7mA5yupIIKQS9YRXT8HU/ny5U5DB:DKnuTZh8JUUyJCS9CXT8Enys

Score
10/10
neconyddiscoverytrojan

Malware Config

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5fac49ff6aad7f6a8291851580bffe9b.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5fac49ff6aad7f6a8291851580bffe9b.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4588
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:4068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    4.5MB

    MD5

    6874cdda0a0ead79319c79be31da05f1

    SHA1

    0db244550a33fb4c7f4f1c8224d4bafb75ca92a4

    SHA256

    a9f77caddb6101cc4211d0b1324c14b9e3c02970b125f1870d048ee4f94772b7

    SHA512

    2ea3e3ddf2797c78994085f1238acb7c419cc5caa11ae5b83ccbd7e7adfae152682bab02dd52ad7391ca29d2c4744cca4c85740a9edc6f6d7c9e91a2d6b00353

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    4.5MB

    MD5

    a1a5ab9dd2869c7d5afc9912a3a644d3

    SHA1

    92aafd50ca717f858669bdfe73adb1c45aca011a

    SHA256

    b814c4fde82f894b2833e5f2cec032d02b2fa36a15989cf6ee93715e72a78760

    SHA512

    385648bc29391a6315bd5ed04bc22611066e442bbb55d056ab22b447e2251502b93d284dd9af723292b0d69b99084f8a6afa41bc591ab2253c68b2ff2f97a1d7

    Download Submit