Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2025, 03:20 UTC
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exe
-
Size
128KB
-
MD5
01b36e0afa6cf15ee49ba2c56994f33f
-
SHA1
d3449d903ff8473fd6efd34808f7cb0802a7d3ef
-
SHA256
17c155d38b7255f10a57d43f44014dd6d0b1c28201e62db9c08d39e10ef064c6
-
SHA512
530b75c4052de6c7d1b5d6b0a34a4007a19efc31c52682625c079bd51847c97d1e200b9bdeadd923af3064a53c7ae365e4a32b124e60c42fd11682788293d9c2
-
SSDEEP
1536:GDfDbhERTatPLTLLbC+8BMNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabau:4iRTe3n8BMAW6J6f1tqF6dngNmaZrN
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 3928 omsecor.exe 2020 omsecor.exe 4080 omsecor.exe 4048 omsecor.exe 808 omsecor.exe 4620 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4248 set thread context of 3500 4248 JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exe 83 PID 3928 set thread context of 2020 3928 omsecor.exe 87 PID 4080 set thread context of 4048 4080 omsecor.exe 108 PID 808 set thread context of 4620 808 omsecor.exe 112 -
Program crash 4 IoCs
pid pid_target Process procid_target 5008 4248 WerFault.exe 82 5068 3928 WerFault.exe 86 744 4080 WerFault.exe 107 3608 808 WerFault.exe 110 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4248 wrote to memory of 3500 4248 JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exe 83 PID 4248 wrote to memory of 3500 4248 JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exe 83 PID 4248 wrote to memory of 3500 4248 JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exe 83 PID 4248 wrote to memory of 3500 4248 JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exe 83 PID 4248 wrote to memory of 3500 4248 JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exe 83 PID 3500 wrote to memory of 3928 3500 JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exe 86 PID 3500 wrote to memory of 3928 3500 JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exe 86 PID 3500 wrote to memory of 3928 3500 JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exe 86 PID 3928 wrote to memory of 2020 3928 omsecor.exe 87 PID 3928 wrote to memory of 2020 3928 omsecor.exe 87 PID 3928 wrote to memory of 2020 3928 omsecor.exe 87 PID 3928 wrote to memory of 2020 3928 omsecor.exe 87 PID 3928 wrote to memory of 2020 3928 omsecor.exe 87 PID 2020 wrote to memory of 4080 2020 omsecor.exe 107 PID 2020 wrote to memory of 4080 2020 omsecor.exe 107 PID 2020 wrote to memory of 4080 2020 omsecor.exe 107 PID 4080 wrote to memory of 4048 4080 omsecor.exe 108 PID 4080 wrote to memory of 4048 4080 omsecor.exe 108 PID 4080 wrote to memory of 4048 4080 omsecor.exe 108 PID 4080 wrote to memory of 4048 4080 omsecor.exe 108 PID 4080 wrote to memory of 4048 4080 omsecor.exe 108 PID 4048 wrote to memory of 808 4048 omsecor.exe 110 PID 4048 wrote to memory of 808 4048 omsecor.exe 110 PID 4048 wrote to memory of 808 4048 omsecor.exe 110 PID 808 wrote to memory of 4620 808 omsecor.exe 112 PID 808 wrote to memory of 4620 808 omsecor.exe 112 PID 808 wrote to memory of 4620 808 omsecor.exe 112 PID 808 wrote to memory of 4620 808 omsecor.exe 112 PID 808 wrote to memory of 4620 808 omsecor.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01b36e0afa6cf15ee49ba2c56994f33f.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4620
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 2688⤵
- Program crash
PID:3608
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 2926⤵
- Program crash
PID:744
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 2884⤵
- Program crash
PID:5068
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 3002⤵
- Program crash
PID:5008
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4248 -ip 42481⤵PID:3924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3928 -ip 39281⤵PID:4800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4080 -ip 40801⤵PID:3468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 808 -ip 8081⤵PID:3012
Network
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestlousta.netIN AResponselousta.netIN A193.166.255.171
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request167.173.78.104.in-addr.arpaIN PTRResponse167.173.78.104.in-addr.arpaIN PTRa104-78-173-167deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request71.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestmkkuei4kdsz.comIN AResponsemkkuei4kdsz.comIN A15.197.204.56mkkuei4kdsz.comIN A3.33.243.145
-
Remote address:15.197.204.56:80RequestGET /993/876.html HTTP/1.1
From: 133819246504669111
Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+57.db_7`/`e,1/245,d8+_a310..627
Host: mkkuei4kdsz.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
date: Tue, 21 Jan 2025 09:18:34 GMT
content-length: 114
-
Remote address:8.8.8.8:53Request56.204.197.15.in-addr.arpaIN PTRResponse56.204.197.15.in-addr.arpaIN PTRa3edc0dabdef92d6dawsglobalacceleratorcom
-
Remote address:8.8.8.8:53Requestow5dirasuek.comIN AResponseow5dirasuek.comIN A52.34.198.229
-
Remote address:52.34.198.229:80RequestGET /592/756.html HTTP/1.1
From: 133819246504669111
Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+57.db_7`/`e,1/245,d8+_a310..627
Host: ow5dirasuek.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Tue, 21 Jan 2025 09:18:44 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=974d24eeae323b626f6135283205ba78|181.215.176.83|1737451124|1737451124|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:8.8.8.8:53Request229.198.34.52.in-addr.arpaIN PTRResponse229.198.34.52.in-addr.arpaIN PTRec2-52-34-198-229 us-west-2compute amazonawscom
-
Remote address:15.197.204.56:80RequestGET /835/663.html HTTP/1.1
From: 133819246504669111
Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+57.db_7`/`e,1/245,d8+_a310..627
Host: mkkuei4kdsz.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
date: Tue, 21 Jan 2025 09:19:57 GMT
content-length: 114
-
260 B 5
-
260 B 5
-
467 B 388 B 6 4
HTTP Request
GET http://mkkuei4kdsz.com/993/876.htmlHTTP Response
200 -
467 B 623 B 6 5
HTTP Request
GET http://ow5dirasuek.com/592/756.htmlHTTP Response
200 -
260 B 5
-
260 B 5
-
375 B 348 B 4 3
HTTP Request
GET http://mkkuei4kdsz.com/835/663.htmlHTTP Response
200
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
56 B 72 B 1 1
DNS Request
lousta.net
DNS Response
193.166.255.171
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
167.173.78.104.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
71.159.190.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
61 B 93 B 1 1
DNS Request
mkkuei4kdsz.com
DNS Response
15.197.204.563.33.243.145
-
72 B 128 B 1 1
DNS Request
56.204.197.15.in-addr.arpa
-
61 B 77 B 1 1
DNS Request
ow5dirasuek.com
DNS Response
52.34.198.229
-
72 B 135 B 1 1
DNS Request
229.198.34.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5d9ee0f58e9bb340fd65f6cea280ee6d6
SHA1d93bb03ee049c25045c0e80503a95a8902f9bc60
SHA2565bb1d482adcf9a915a5633b7413d560a031331c9d633ea0d251371b2e57d3410
SHA512e5d37679407bfe31dd3c88474247b27380d7e066b187614ede78cb491adfafa3d68a230bf48296721ae01450afabe75f842b105e3e31a6e73aaaa48bf307fc1c
-
Filesize
128KB
MD53defeeae711daf9a6d3cf2c344612392
SHA18edb83e3de0a7a35353b6385f7291d7813e71d7a
SHA2562fac71169f4d7d0a00b5226b6b131a9a6bb85fcbde768debd0dce046511c7e63
SHA5126f257bbe9ae4509e573bd2d7db5b7995fcb107f91c8231dedc8866f3f8e17cef546666915e06e2db399a145bfe4ce4235a46dd4473524f358bf6963008c72b1a
-
Filesize
128KB
MD575fc48da684a93475170bc4ab2c9f10c
SHA16f4aee2a9e6384cbc15c616a8d7b51a18c625020
SHA2560a822f51e0a5caf31e77da7f69a3fb2cbcd04cfbf5e44a25b3aa6ca8479d6622
SHA512fb5f4a6df677dc6def75e0dfc60922bbd173aef401c3e829b9fde5c1133f22fa6479579cacdc6d874d11356005e8ac994b310ca4d67c485a16f8dbf20c3d4aad