Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
20/04/2024, 17:48
General
-
Target
fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
fd4a3af3861edfa99ca15c7b6dff39b2
-
SHA1
00cd93349f4ab8a3b5896440e31dc899cd8585b6
-
SHA256
af00e3c4645fac761a47656f84d5c2036307f00bb01a6fc5be008e5839e4a010
-
SHA512
8e447c4c017f3573b7c13b01fa6f2bebcc24ebf7b1ca859fc216b16003b0feec95b21a45906c0d6d180a312a73a9b8c4b0cf9c7db336f3ba8d449a39ba09be4b
-
SSDEEP
12288:BgHD+WWwXwSqYkjyPnV8GH2Yhpgqx+5R9BIPkMj3lH4cLRCUwphVlEAJqn4:BM+WnHMjyPV8o2Yv+YL31/LCtJ+4
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Recovery\WindowsRE\taskhostw.exe"C:\Recovery\WindowsRE\taskhostw.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5fd4a3af3861edfa99ca15c7b6dff39b2
SHA100cd93349f4ab8a3b5896440e31dc899cd8585b6
SHA256af00e3c4645fac761a47656f84d5c2036307f00bb01a6fc5be008e5839e4a010
SHA5128e447c4c017f3573b7c13b01fa6f2bebcc24ebf7b1ca859fc216b16003b0feec95b21a45906c0d6d180a312a73a9b8c4b0cf9c7db336f3ba8d449a39ba09be4b
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
1.2MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB