Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/01/2025, 03:20 UTC

General

  • Target

    JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exe

  • Size

    128KB

  • MD5

    01b36e0afa6cf15ee49ba2c56994f33f

  • SHA1

    d3449d903ff8473fd6efd34808f7cb0802a7d3ef

  • SHA256

    17c155d38b7255f10a57d43f44014dd6d0b1c28201e62db9c08d39e10ef064c6

  • SHA512

    530b75c4052de6c7d1b5d6b0a34a4007a19efc31c52682625c079bd51847c97d1e200b9bdeadd923af3064a53c7ae365e4a32b124e60c42fd11682788293d9c2

  • SSDEEP

    1536:GDfDbhERTatPLTLLbC+8BMNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabau:4iRTe3n8BMAW6J6f1tqF6dngNmaZrN

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3500
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3928
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2020
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4080
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4048
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:808
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:4620
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 268
                  8⤵
                  • Program crash
                  PID:3608
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 292
              6⤵
              • Program crash
              PID:744
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 288
          4⤵
          • Program crash
          PID:5068
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 300
      2⤵
      • Program crash
      PID:5008
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4248 -ip 4248
    1⤵
      PID:3924
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3928 -ip 3928
      1⤵
        PID:4800
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4080 -ip 4080
        1⤵
          PID:3468
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 808 -ip 808
          1⤵
            PID:3012

          Network

          • flag-us
            DNS
            97.17.167.52.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            97.17.167.52.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            lousta.net
            omsecor.exe
            Remote address:
            8.8.8.8:53
            Request
            lousta.net
            IN A
            Response
            lousta.net
            IN A
            193.166.255.171
          • flag-us
            DNS
            172.210.232.199.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            172.210.232.199.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            167.173.78.104.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            167.173.78.104.in-addr.arpa
            IN PTR
            Response
            167.173.78.104.in-addr.arpa
            IN PTR
            a104-78-173-167deploystaticakamaitechnologiescom
          • flag-us
            DNS
            71.159.190.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            71.159.190.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            217.106.137.52.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            217.106.137.52.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            209.205.72.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            209.205.72.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            197.87.175.4.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            197.87.175.4.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            198.187.3.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            198.187.3.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            mkkuei4kdsz.com
            omsecor.exe
            Remote address:
            8.8.8.8:53
            Request
            mkkuei4kdsz.com
            IN A
            Response
            mkkuei4kdsz.com
            IN A
            15.197.204.56
            mkkuei4kdsz.com
            IN A
            3.33.243.145
          • flag-us
            GET
            http://mkkuei4kdsz.com/993/876.html
            omsecor.exe
            Remote address:
            15.197.204.56:80
            Request
            GET /993/876.html HTTP/1.1
            From: 133819246504669111
            Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+57.db_7`/`e,1/245,d8+_a310..627
            Host: mkkuei4kdsz.com
            Connection: Keep-Alive
            Response
            HTTP/1.1 200 OK
            content-type: text/html
            date: Tue, 21 Jan 2025 09:18:34 GMT
            content-length: 114
          • flag-us
            DNS
            56.204.197.15.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            56.204.197.15.in-addr.arpa
            IN PTR
            Response
            56.204.197.15.in-addr.arpa
            IN PTR
            a3edc0dabdef92d6dawsglobalacceleratorcom
          • flag-us
            DNS
            ow5dirasuek.com
            omsecor.exe
            Remote address:
            8.8.8.8:53
            Request
            ow5dirasuek.com
            IN A
            Response
            ow5dirasuek.com
            IN A
            52.34.198.229
          • flag-us
            GET
            http://ow5dirasuek.com/592/756.html
            omsecor.exe
            Remote address:
            52.34.198.229:80
            Request
            GET /592/756.html HTTP/1.1
            From: 133819246504669111
            Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+57.db_7`/`e,1/245,d8+_a310..627
            Host: ow5dirasuek.com
            Connection: Keep-Alive
            Response
            HTTP/1.1 200 OK
            Server: nginx
            Date: Tue, 21 Jan 2025 09:18:44 GMT
            Content-Type: text/html
            Transfer-Encoding: chunked
            Connection: close
            Set-Cookie: btst=974d24eeae323b626f6135283205ba78|181.215.176.83|1737451124|1737451124|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
            Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
          • flag-us
            DNS
            229.198.34.52.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            229.198.34.52.in-addr.arpa
            IN PTR
            Response
            229.198.34.52.in-addr.arpa
            IN PTR
            ec2-52-34-198-229 us-west-2compute amazonawscom
          • flag-us
            GET
            http://mkkuei4kdsz.com/835/663.html
            omsecor.exe
            Remote address:
            15.197.204.56:80
            Request
            GET /835/663.html HTTP/1.1
            From: 133819246504669111
            Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+57.db_7`/`e,1/245,d8+_a310..627
            Host: mkkuei4kdsz.com
            Connection: Keep-Alive
            Response
            HTTP/1.1 200 OK
            content-type: text/html
            date: Tue, 21 Jan 2025 09:19:57 GMT
            content-length: 114
          • 193.166.255.171:80
            lousta.net
            omsecor.exe
            260 B
            5
          • 193.166.255.171:80
            lousta.net
            omsecor.exe
            260 B
            5
          • 15.197.204.56:80
            http://mkkuei4kdsz.com/993/876.html
            http
            omsecor.exe
            467 B
            388 B
            6
            4

            HTTP Request

            GET http://mkkuei4kdsz.com/993/876.html

            HTTP Response

            200
          • 52.34.198.229:80
            http://ow5dirasuek.com/592/756.html
            http
            omsecor.exe
            467 B
            623 B
            6
            5

            HTTP Request

            GET http://ow5dirasuek.com/592/756.html

            HTTP Response

            200
          • 193.166.255.171:80
            lousta.net
            omsecor.exe
            260 B
            5
          • 193.166.255.171:80
            lousta.net
            omsecor.exe
            260 B
            5
          • 15.197.204.56:80
            http://mkkuei4kdsz.com/835/663.html
            http
            omsecor.exe
            375 B
            348 B
            4
            3

            HTTP Request

            GET http://mkkuei4kdsz.com/835/663.html

            HTTP Response

            200
          • 8.8.8.8:53
            97.17.167.52.in-addr.arpa
            dns
            71 B
            145 B
            1
            1

            DNS Request

            97.17.167.52.in-addr.arpa

          • 8.8.8.8:53
            lousta.net
            dns
            omsecor.exe
            56 B
            72 B
            1
            1

            DNS Request

            lousta.net

            DNS Response

            193.166.255.171

          • 8.8.8.8:53
            172.210.232.199.in-addr.arpa
            dns
            74 B
            128 B
            1
            1

            DNS Request

            172.210.232.199.in-addr.arpa

          • 8.8.8.8:53
            167.173.78.104.in-addr.arpa
            dns
            73 B
            139 B
            1
            1

            DNS Request

            167.173.78.104.in-addr.arpa

          • 8.8.8.8:53
            71.159.190.20.in-addr.arpa
            dns
            72 B
            158 B
            1
            1

            DNS Request

            71.159.190.20.in-addr.arpa

          • 8.8.8.8:53
            217.106.137.52.in-addr.arpa
            dns
            73 B
            147 B
            1
            1

            DNS Request

            217.106.137.52.in-addr.arpa

          • 8.8.8.8:53
            209.205.72.20.in-addr.arpa
            dns
            72 B
            158 B
            1
            1

            DNS Request

            209.205.72.20.in-addr.arpa

          • 8.8.8.8:53
            197.87.175.4.in-addr.arpa
            dns
            71 B
            157 B
            1
            1

            DNS Request

            197.87.175.4.in-addr.arpa

          • 8.8.8.8:53
            198.187.3.20.in-addr.arpa
            dns
            71 B
            157 B
            1
            1

            DNS Request

            198.187.3.20.in-addr.arpa

          • 8.8.8.8:53
            mkkuei4kdsz.com
            dns
            omsecor.exe
            61 B
            93 B
            1
            1

            DNS Request

            mkkuei4kdsz.com

            DNS Response

            15.197.204.56
            3.33.243.145

          • 8.8.8.8:53
            56.204.197.15.in-addr.arpa
            dns
            72 B
            128 B
            1
            1

            DNS Request

            56.204.197.15.in-addr.arpa

          • 8.8.8.8:53
            ow5dirasuek.com
            dns
            omsecor.exe
            61 B
            77 B
            1
            1

            DNS Request

            ow5dirasuek.com

            DNS Response

            52.34.198.229

          • 8.8.8.8:53
            229.198.34.52.in-addr.arpa
            dns
            72 B
            135 B
            1
            1

            DNS Request

            229.198.34.52.in-addr.arpa

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe

            Filesize

            128KB

            MD5

            d9ee0f58e9bb340fd65f6cea280ee6d6

            SHA1

            d93bb03ee049c25045c0e80503a95a8902f9bc60

            SHA256

            5bb1d482adcf9a915a5633b7413d560a031331c9d633ea0d251371b2e57d3410

            SHA512

            e5d37679407bfe31dd3c88474247b27380d7e066b187614ede78cb491adfafa3d68a230bf48296721ae01450afabe75f842b105e3e31a6e73aaaa48bf307fc1c

          • C:\Users\Admin\AppData\Roaming\omsecor.exe

            Filesize

            128KB

            MD5

            3defeeae711daf9a6d3cf2c344612392

            SHA1

            8edb83e3de0a7a35353b6385f7291d7813e71d7a

            SHA256

            2fac71169f4d7d0a00b5226b6b131a9a6bb85fcbde768debd0dce046511c7e63

            SHA512

            6f257bbe9ae4509e573bd2d7db5b7995fcb107f91c8231dedc8866f3f8e17cef546666915e06e2db399a145bfe4ce4235a46dd4473524f358bf6963008c72b1a

          • C:\Windows\SysWOW64\omsecor.exe

            Filesize

            128KB

            MD5

            75fc48da684a93475170bc4ab2c9f10c

            SHA1

            6f4aee2a9e6384cbc15c616a8d7b51a18c625020

            SHA256

            0a822f51e0a5caf31e77da7f69a3fb2cbcd04cfbf5e44a25b3aa6ca8479d6622

            SHA512

            fb5f4a6df677dc6def75e0dfc60922bbd173aef401c3e829b9fde5c1133f22fa6479579cacdc6d874d11356005e8ac994b310ca4d67c485a16f8dbf20c3d4aad

          • memory/2020-12-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/2020-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/2020-21-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/2020-13-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/2020-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/2020-17-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/2020-20-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/3500-0-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/3500-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/3500-8-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/3500-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4048-31-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4048-36-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4048-30-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4620-42-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4620-41-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4620-43-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4620-46-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.