General
-
Target
156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118
-
Size
774KB
-
Sample
240329-b5248aeg75
-
MD5
156e3d59adc4d47edf5b12f8e10e4f9d
-
SHA1
a26ea9dc199039acb998a79ae4350e944d674bf9
-
SHA256
95c6777202c918304a78d0d16ecfe1d8969c6c89c920a969bb7e27f34e8c78b6
-
SHA512
b5ab8953fccf9af7c54a2b5963aaab69303c8a6342f3f0856249c535a003e33025dcc08bc662ad57a4bc49f5afa1f96e3eace1bf94817625d36717dc461d7a16
-
SSDEEP
24576:kNSDqhcQfj7xDq2N+4uF6I8QsaOXA/n3z:ocg92R9F92XA/z
Malware Config
Targets
-
-
Target
156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118
-
Size
774KB
-
MD5
156e3d59adc4d47edf5b12f8e10e4f9d
-
SHA1
a26ea9dc199039acb998a79ae4350e944d674bf9
-
SHA256
95c6777202c918304a78d0d16ecfe1d8969c6c89c920a969bb7e27f34e8c78b6
-
SHA512
b5ab8953fccf9af7c54a2b5963aaab69303c8a6342f3f0856249c535a003e33025dcc08bc662ad57a4bc49f5afa1f96e3eace1bf94817625d36717dc461d7a16
-
SSDEEP
24576:kNSDqhcQfj7xDq2N+4uF6I8QsaOXA/n3z:ocg92R9F92XA/z
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1