Overview

overview

10

Static

static

10

e8317caac6...18.exe

windows7-x64

10

e8317caac6...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    08/04/2024, 19:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e8317caac6568f4d37d8535a1e56ad29_JaffaCakes118.exe

  • Size

    493KB

  • MD5

    e8317caac6568f4d37d8535a1e56ad29

  • SHA1

    f0fd94999b1f177a9c356fe7d5d51ff67b57bd43

  • SHA256

    905fc6297517e940e073d09037ea044f2ba0ecf95f728abae8199bcc0ee2142d

  • SHA512

    339ba4b8ad3187845252d4397781db24e6334d5389437ca6b38132f96ea9d68651d05bb6fe6bf40a91e4398f2faaf73e5eae5d2345a747815f39bb6e946b1834

  • SSDEEP

    6144:7qqDLOObBf5tUgvk+HyxcQFcUdMOMJa1DHjzCytSi2OFbJKnblNGaN+SZxh8D5m5:2qnOO9BtqxcwdhrjzzcOlWkSZ3y5UB

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8317caac6568f4d37d8535a1e56ad29_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e8317caac6568f4d37d8535a1e56ad29_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Documents and Settings\spoolsv.exe
      "C:\Documents and Settings\spoolsv.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2112
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2612
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\PerfLogs\Admin\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2688
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\LSCSHostPolicy\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2476
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Documents and Settings\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2504
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Documents and Settings\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2292
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Documents and Settings\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2768
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\HelpPane\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2540
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\taskhost.exe
    Filesize

    493KB

    MD5

    e8317caac6568f4d37d8535a1e56ad29

    SHA1

    f0fd94999b1f177a9c356fe7d5d51ff67b57bd43

    SHA256

    905fc6297517e940e073d09037ea044f2ba0ecf95f728abae8199bcc0ee2142d

    SHA512

    339ba4b8ad3187845252d4397781db24e6334d5389437ca6b38132f96ea9d68651d05bb6fe6bf40a91e4398f2faaf73e5eae5d2345a747815f39bb6e946b1834

    Download Submit

  • memory/2112-25-0x0000000000CE0000-0x0000000000D62000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2112-27-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2112-28-0x000000001B090000-0x000000001B110000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2112-29-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2112-30-0x000000001B090000-0x000000001B110000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2112-31-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2968-0-0x0000000000370000-0x00000000003F2000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2968-1-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2968-2-0x000000001B000000-0x000000001B080000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2968-26-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

    Filesize

    9.9MB

    Download