Overview

overview

10

Static

static

10

JaffaCakes...b5.exe

windows7-x64

10

JaffaCakes...b5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2025 10:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_ff49e72ad68a412debd2d538c47914b5.exe

  • Size

    68KB

  • MD5

    ff49e72ad68a412debd2d538c47914b5

  • SHA1

    4d2e6c367834f0e9cf0ee393fbf3ab2038fbf89b

  • SHA256

    ca252b3cf3a4886d723368026ab0fbb29c0a469158cedee9c74dd0c08498c9bc

  • SHA512

    c03621f31ba7591b43271d906ec7e0b97084fd442e69a3b7062ab6eec4c0f4e4d1c2585042167725eef3a07aa96f6ad1a931ccefff378bf04dbf4d56196c7998

  • SSDEEP

    1536:7d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:LdseIOMEZEyFjEOFqTiQm5l/5

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ff49e72ad68a412debd2d538c47914b5.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ff49e72ad68a412debd2d538c47914b5.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1484
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3596
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:2728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    68KB

    MD5

    b79f6456483571ff2aca632723efa77f

    SHA1

    21d01925192b661ca0a3a2089b0725d7a3846d39

    SHA256

    e4c5cf208085f8ed029eb947508c525027189981f2b6650cf991d6ba04f990b5

    SHA512

    bbc503c1d3f9d72a056bf1c859651cc75e8a797f5a82cc2965389c9e621a4b8d55363535b7882bd089224b500ea870909b2a9a58641f739cab3e630f9ef98e88

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    68KB

    MD5

    e3378d4da1ae3a3b990e55c5ac35fb44

    SHA1

    af0d62afe51cf139be10651eb22a1bfd2aa4003c

    SHA256

    a2a37d7f6932d74bbfbdf3014617f7a00808c915786ce05220bdab04215b81f8

    SHA512

    60cc46fce22fb493587d5f9567f462b376a11cd0208181d65c30f3fcb2734e67138743a8ec2137fb519a321cdcbddb38ade4d829b89068ec16f1028e507036a7

    Download Submit