netsupport | ca716460789ee11dd3e8950ea8cb8439f9c8f81d440722a162094bc77dfb4f8b

Analysis

max time kernel
134s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_68ba4a4817b9571586df8f69562304b2.exe
Size

3.0MB
MD5

68ba4a4817b9571586df8f69562304b2
SHA1

ca88cdb06157a73f651dab9c409f72f6363a4602
SHA256

ca716460789ee11dd3e8950ea8cb8439f9c8f81d440722a162094bc77dfb4f8b
SHA512

bad6b6f383675564f732d3d182f09d83fc5738b6b4085259609942d1de4233de641a9637da9279dc6c1f427a2b74cc936522f932ec8f4aff22d3d9323a7d4a62
SSDEEP

49152:+qe3f6eaRJ0VLchdr+pHHuOWMuM46LRoRvgpwa94teygbsi:vSiOusHTXotfdewi

Score

10^/10

netsupport discovery rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

Executes dropped EXE 2 IoCs

pid	Process
2268	JaffaCakes118_68ba4a4817b9571586df8f69562304b2.tmp
2440	RuntimeBroker.exe

Loads dropped DLL 7 IoCs

pid	Process
2020	JaffaCakes118_68ba4a4817b9571586df8f69562304b2.exe
2268	JaffaCakes118_68ba4a4817b9571586df8f69562304b2.tmp
2440	RuntimeBroker.exe
2440	RuntimeBroker.exe
2440	RuntimeBroker.exe
2440	RuntimeBroker.exe
2440	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_68ba4a4817b9571586df8f69562304b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_68ba4a4817b9571586df8f69562304b2.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2268	JaffaCakes118_68ba4a4817b9571586df8f69562304b2.tmp
2268	JaffaCakes118_68ba4a4817b9571586df8f69562304b2.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2440	RuntimeBroker.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2268	JaffaCakes118_68ba4a4817b9571586df8f69562304b2.tmp
2440	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2268	2020	JaffaCakes118_68ba4a4817b9571586df8f69562304b2.exe	30
PID 2020 wrote to memory of 2268	2020	JaffaCakes118_68ba4a4817b9571586df8f69562304b2.exe	30
PID 2020 wrote to memory of 2268	2020	JaffaCakes118_68ba4a4817b9571586df8f69562304b2.exe	30
PID 2020 wrote to memory of 2268	2020	JaffaCakes118_68ba4a4817b9571586df8f69562304b2.exe	30
PID 2020 wrote to memory of 2268	2020	JaffaCakes118_68ba4a4817b9571586df8f69562304b2.exe	30
PID 2020 wrote to memory of 2268	2020	JaffaCakes118_68ba4a4817b9571586df8f69562304b2.exe	30
PID 2020 wrote to memory of 2268	2020	JaffaCakes118_68ba4a4817b9571586df8f69562304b2.exe	30
PID 2268 wrote to memory of 2440	2268	JaffaCakes118_68ba4a4817b9571586df8f69562304b2.tmp	32
PID 2268 wrote to memory of 2440	2268	JaffaCakes118_68ba4a4817b9571586df8f69562304b2.tmp	32
PID 2268 wrote to memory of 2440	2268	JaffaCakes118_68ba4a4817b9571586df8f69562304b2.tmp	32
PID 2268 wrote to memory of 2440	2268	JaffaCakes118_68ba4a4817b9571586df8f69562304b2.tmp	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68ba4a4817b9571586df8f69562304b2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68ba4a4817b9571586df8f69562304b2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\is-06808.tmp\JaffaCakes118_68ba4a4817b9571586df8f69562304b2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-06808.tmp\JaffaCakes118_68ba4a4817b9571586df8f69562304b2.tmp" /SL5="$30146,2328649,779776,C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68ba4a4817b9571586df8f69562304b2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Users\Admin\AppData\Roaming\WinSurrounder\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Roaming\WinSurrounder\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSurrounder\NSM.LIC

Filesize
259B

MD5
ac5d5cc9acad4531ef1bd16145ea68bd

SHA1
f9d92f79a934815b645591ebbd6f5d20aa6a3e38

SHA256
68c787616681427557343e42ede5805dfbeeb580c59f69c4706b500f225e2c6b

SHA512
196863e039e9c83fb0f8eb3f0a6119db31a624e7ef4e9ba99516702e76796957f0ebf87e8728e1bd0de6cd7420bec6e644caa58a0724a7208e9a765d6eb78f64

Download Submit
C:\Users\Admin\AppData\Roaming\WinSurrounder\PCICL32.dll

Filesize
3.6MB

MD5
21e49d937a929db0ff9c265e8b2b6777

SHA1
88000b29bb69b3e8a29f30f0274de3e71a8b7ef7

SHA256
9b760f2aa4576d044bcd33e21943a8cbccd9c56d17d598fa509213e05f9939c1

SHA512
165664b4d3b6aa2c481665a9aed572a7445cd32052066faf7bf05340820d8afc3cf4660a344d2a06e6f3bcabbfa7923eb61c39b7367735ede0f5154f9696d1bf

Download Submit
C:\Users\Admin\AppData\Roaming\WinSurrounder\RuntimeBroker.exe

Filesize
85KB

MD5
1cb88aeae38477423560246200f68dac

SHA1
18a1a1631810045b96fed256be26b12aeda07fc1

SHA256
c6d455a464ca61777ace3d161d2d9e8fb27e135dd941e001c120a844f7005b9f

SHA512
d4754a7cd308dd4763dc01d0e4257f32114ea030f1c4eb955333b8cf106c0fcc9872b6c1002c5d2637ca8da476b4c9098b06bbf46211bdd22252fcc1cabc7eff

Download Submit
C:\Users\Admin\AppData\Roaming\WinSurrounder\client32.ini

Filesize
706B

MD5
812452fb7d6044657f21868f8b046ec8

SHA1
2a3d0cfa5ef48c687ed42c101c3466b8104379bf

SHA256
3a0fcc3de6f38f43bc68c3f7733470c5ae0ba7e44231f381a555c26f72cded2d

SHA512
ff72c6f6e830a34bcb84f44030568b709b422868d93a7ad0c12a2da1d7e1fdee6e048e23b90d87a0d98383d3964ab71d28db98f58ad381c93c06682ae1b4ec36

Download Submit
C:\Users\Admin\AppData\Roaming\WinSurrounder\pcichek.dll

Filesize
17KB

MD5
018b7364f4de19d99c37665eb8555fc5

SHA1
661d32b263131f27c890a3a17e3a7f58b0035f93

SHA256
fb68bf34ae44c30267e5034d65e7d917033631f8290a17de264de5189f1c9e71

SHA512
82eb86e58894d3beed9f7efefdd9f8ece4d4d1af7d95e8751054eac18ff8eb08e6bfdd0ccf132f666b2bdd47669fdc4b1fcf4c172a4cf3f25b0464e6943489f8

Download Submit
\Users\Admin\AppData\Local\Temp\is-06808.tmp\JaffaCakes118_68ba4a4817b9571586df8f69562304b2.tmp

Filesize
3.0MB

MD5
d4d43c792aa5d73f0cd7b1d9d461487b

SHA1
f20d2a3840dad80ab7be903d5a7d9db0fd4a515d

SHA256
9f2f5a6aa41c4d27b4e98a1e97e775c390bf171b4ba81815dd769c6f4a5e2ca5

SHA512
1b29ed1538e166644328d48a7189e827bc8b5d732c94cc3dde6d28b62b30515892a8d17de7579e69074f876b7cad9b79425908c7721d2ce59f844d9ef83dc5b5

Download Submit
\Users\Admin\AppData\Roaming\WinSurrounder\HTCTL32.DLL

Filesize
319KB

MD5
bf9dd864f5822dc28ffce9529bae15ba

SHA1
ee578ba78ddaf0547edd23355dbc658cdc1b86ab

SHA256
74328f7f2d08cfc734cc5151bc68377962d1e0a75137908925a604b3d18b7be6

SHA512
ea00797c9e7117452e3a7f94db016e22dad0246c439daaae304ecfb5c5de19d2db0c63ce1edd135a409f07ba75b19bd6428a7ab6d80a9dc65ff473ff985ef43e

Download Submit
\Users\Admin\AppData\Roaming\WinSurrounder\msvcr100.dll

Filesize
759KB

MD5
7aa3e993ffef3a554ebab6532eac4075

SHA1
92b541293c63a4fb343327a1cc7708f96e7eec74

SHA256
aaf5bd6cdf7eae9d3ed153033917b3aed750d48ab11222569246db162d94b72e

SHA512
97d91945d2f90594505ce67e2ce6f9bf4cfabe7ec5a0461ac5bf82c8bd1094308c99a02d4cc25276dc9701c8109afe1f69726964f2e06dce98f005f0e8f5ec49

Download Submit
\Users\Admin\AppData\Roaming\WinSurrounder\pcicapi.dll

Filesize
31KB

MD5
191bd0cc859e47aaa7c5195f58f56d4e

SHA1
c2d91b7688ab3d4fbc08dc8df895323ca2c47460

SHA256
3d30caf999bbd1c39b681f4782c2f703c02b9956c4a77d7d531e20ca02ffaa29

SHA512
9c876afdc1b3cab2c01d1d369d6c532edc4377876ed95f324e0e638860852d41052796a16f7314ef922bb7ff6edb9f3687f6edfb342b6524951906340c614b08

Download Submit
memory/2020-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2020-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2020-71-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2020-77-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2268-9-0x0000000000400000-0x0000000000705000-memory.dmp

Filesize
3.0MB

Download
memory/2268-73-0x0000000000400000-0x0000000000705000-memory.dmp

Filesize
3.0MB

Download
memory/2268-75-0x0000000000400000-0x0000000000705000-memory.dmp

Filesize
3.0MB

Download