Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/01/2025, 12:22
Behavioral task
behavioral1
Sample
JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe
-
Size
62KB
-
MD5
c807e4d568a3952d5a02845923fc33fb
-
SHA1
cbbfb8fc34b748277f6915d8d6edc13d8d82d915
-
SHA256
ddd6a75391502ac182b15d9849a21407661b4eb39b59be8d8c8cfe03d30874e0
-
SHA512
da96bf66d357355a69d80a8df90c98087e57599b85d76f7c238d5fe7aa67287f2fca6d0be0df7647835af7a5039e31e37d7c13e5d1695740a52a67cd3bb0802e
-
SSDEEP
768:wMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:wbIvYvZEyFKF6N4yS+AQmZTl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2524 omsecor.exe 3024 omsecor.exe 1452 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2504 JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe 2504 JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe 2524 omsecor.exe 2524 omsecor.exe 3024 omsecor.exe 3024 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2524 2504 JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe 30 PID 2504 wrote to memory of 2524 2504 JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe 30 PID 2504 wrote to memory of 2524 2504 JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe 30 PID 2504 wrote to memory of 2524 2504 JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe 30 PID 2524 wrote to memory of 3024 2524 omsecor.exe 33 PID 2524 wrote to memory of 3024 2524 omsecor.exe 33 PID 2524 wrote to memory of 3024 2524 omsecor.exe 33 PID 2524 wrote to memory of 3024 2524 omsecor.exe 33 PID 3024 wrote to memory of 1452 3024 omsecor.exe 34 PID 3024 wrote to memory of 1452 3024 omsecor.exe 34 PID 3024 wrote to memory of 1452 3024 omsecor.exe 34 PID 3024 wrote to memory of 1452 3024 omsecor.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1452
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD54821addee6464e71b2d178bb74c006e4
SHA14ac50a52d8e3e77b289b344c1e87f89c26be0ec5
SHA2561988e801edffbf9b5a6c253c444723b1735ec7f7427c27841c995a0879392b27
SHA512f395c94e01c756777ad3dce1f9f884e34bacdf07fd06c9568e05bf72b2a45cabda33adde26672d83b04194cfbe5b291a6c82a16eec183201408194684935010c
-
Filesize
62KB
MD599298efe4c990cd0c717c3863005ba83
SHA18c76d3faf98519546fe066f36e230b1d4b82b26f
SHA256e1bf6583916df405d20b5dec8f759fc5d36277398c2a87ef501e9091f11653a3
SHA512355242d20ca20913f128e53cddd114599094e56697fa171592de4ee74e4ee9cce38527ab2d111b11a370de8abf3e1903d465b82fb5508cb67c94c47082523b02
-
Filesize
62KB
MD594ea19efde454ab20a54cefcd8b2651a
SHA189c5ff1671f9d615b20c66aeda981bc08a51df78
SHA2564e4cbbcd4fe83b9a2ac3eff71cd55dca7e55c513a3e75e4546f2ae35d236c1e0
SHA512fa5495f9064914deed9b9157aa5f7d34a52ea62651c30c7f099ad174571008c508820008e246424acd1d436a744f1f90843f99411857393f7690ecfb5bfc2c1c