Overview

overview

10

Static

static

10

f7873b3d8b...18.exe

windows7-x64

10

f7873b3d8b...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f7873b3d8b8f6cf252b37ad3ee8a57b1754b82acc1d0840184af4ce4c237a0db_JaffaCakes118

  • Size

    2.0MB

  • Sample

    240418-h683gsfh7z

  • MD5

    181173ad7c15eb5691d550b1add91036

  • SHA1

    abcf6126173292aa3c4f077c739b7cd8c97b8128

  • SHA256

    f7873b3d8b8f6cf252b37ad3ee8a57b1754b82acc1d0840184af4ce4c237a0db

  • SHA512

    035900f1f1fee074d99d4682d38c235fae4a51da3580d93fc81f38fa84299bf5caf8e6f68b47e13e9b7189bf89d11d42840ad3c5b9a4c906dc4c1fe350c76445

  • SSDEEP

    49152:2lHPy2tVhndTobZzxb0aAJ/ubQmowkA/lk:2lHPyU6br47ubQpwkA/

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Targets

    • Target

      f7873b3d8b8f6cf252b37ad3ee8a57b1754b82acc1d0840184af4ce4c237a0db_JaffaCakes118

    • Size

      2.0MB

    • MD5

      181173ad7c15eb5691d550b1add91036

    • SHA1

      abcf6126173292aa3c4f077c739b7cd8c97b8128

    • SHA256

      f7873b3d8b8f6cf252b37ad3ee8a57b1754b82acc1d0840184af4ce4c237a0db

    • SHA512

      035900f1f1fee074d99d4682d38c235fae4a51da3580d93fc81f38fa84299bf5caf8e6f68b47e13e9b7189bf89d11d42840ad3c5b9a4c906dc4c1fe350c76445

    • SSDEEP

      49152:2lHPy2tVhndTobZzxb0aAJ/ubQmowkA/lk:2lHPyU6br47ubQpwkA/

    Score
    10/10
    dcratinfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks