Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/01/2025, 00:35
Behavioral task
behavioral1
Sample
JaffaCakes118_7fccf02504296f7a2517532adae450fd.exe
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_7fccf02504296f7a2517532adae450fd.exe
-
Size
63KB
-
MD5
7fccf02504296f7a2517532adae450fd
-
SHA1
3725b65262871db393147079430bcde824da2a2d
-
SHA256
f11d72433512b6bf325419d1c039abe33d779c5e8cc8172b668e2b3aa23c64ff
-
SHA512
b682d6b7d274daec2031511bfcf552310e9d941b25050580165f9d070fd68566e81418f53566a39277a6d66955973d50293e065faddeb21d826ed57b0b3c9399
-
SSDEEP
1536:2d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:OdseIOMEZEyFjEOFqTiQm5l/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 1724 omsecor.exe 464 omsecor.exe 2672 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7fccf02504296f7a2517532adae450fd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4732 wrote to memory of 1724 4732 JaffaCakes118_7fccf02504296f7a2517532adae450fd.exe 82 PID 4732 wrote to memory of 1724 4732 JaffaCakes118_7fccf02504296f7a2517532adae450fd.exe 82 PID 4732 wrote to memory of 1724 4732 JaffaCakes118_7fccf02504296f7a2517532adae450fd.exe 82 PID 1724 wrote to memory of 464 1724 omsecor.exe 92 PID 1724 wrote to memory of 464 1724 omsecor.exe 92 PID 1724 wrote to memory of 464 1724 omsecor.exe 92 PID 464 wrote to memory of 2672 464 omsecor.exe 93 PID 464 wrote to memory of 2672 464 omsecor.exe 93 PID 464 wrote to memory of 2672 464 omsecor.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7fccf02504296f7a2517532adae450fd.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7fccf02504296f7a2517532adae450fd.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2672
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD5a470af9c988561890031161a78785e21
SHA157f7087d2fb82948588685f18d06587bbbf2a3c7
SHA256b4f28f7ea81fa2e833d6020af41ae4b7bf05233b3876604d5d07a839957b2e87
SHA512fbff5f99a136106d83d556aa0a333e325d68210835acd559117a4355611bbce3d7f5d93b8a3fa0fe5548941b8f30f9ec475083f76891a6b4b0ad6bfa57cf84df
-
Filesize
63KB
MD54af7b3034c24a3e5426ce4d916dba8e7
SHA17566e6354d2160f0c56e4008e56032924e235921
SHA256d923818c66b3b634273058d4b6101da4b8fef0e397138fae308dd91f8f20a7cf
SHA512269000c92b47d88a9782463bf0e88640039310b9d84320272623c3cf272ad8dcab1ffa957a0852d315f1bfee0cc3c840a544d0dead78c18117ce85aa342b12d7
-
Filesize
63KB
MD5459f3f98327b87d5196c15a75b00fa98
SHA19a2cf0b47c9644b9958f0985ebfedf9bf05b589a
SHA2566572bb96584cb44b3244b2023991ff89bb908682ce56c82a38de5f28fe370e2c
SHA51233456d3726f7b13e952e2308a1f819499a9bd5a29686394be8fa6cfa4dcc39d04dc37e38b283883033dc3945799b65519a1a13ae6fbf26fc64d6a40f9f63b0f3