Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 08:14

General

  • Target

    4a2902958e01cc91f2e71736e0de83aa_JaffaCakes118.exe

  • Size

    1.9MB

  • MD5

    4a2902958e01cc91f2e71736e0de83aa

  • SHA1

    dcd0b86a807feeb0aa8e1178961b2685fb5cb502

  • SHA256

    c826d112cbfa6ac5f2950113046c40a0aa00bc1595a0f2019d108df02b99b0a4

  • SHA512

    ba14483508d21b04f99f42f8e544af296d214569a1d0ef8bae173a6acbe84f3f5e14b6b637685b1dfd5a794b5473f7276a71d0ea039e9bdab64552b5064d3c35

  • SSDEEP

    49152:P+NJvFDhjAe+RVZWI1oLTXD3+s5RHj7KoLl+c733H:0Ch3tmLTL+szfKoZT33H

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a2902958e01cc91f2e71736e0de83aa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4a2902958e01cc91f2e71736e0de83aa_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\FM1GV0nwV6NBGMhpkFkspN3EXmNiKp.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Roaming\rDsNawCN4GJP9CexwTN1QKqyWf0dob.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\Users\Admin\AppData\Roaming\AVvht7K88OJxvVRxYaye.exe
          AVvht7K88OJxvVRxYaye.exe -p1eee374ad5fc54c69c3297f577d8316beeaaed85
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2796
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\System.vbe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3000
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Roaming\fV2k5DsZiGZrbZzOAu29ftdemcCJJ1.bat" "
              6⤵
              • Drops startup file
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1980
              • C:\Users\Admin\AppData\Roaming\kasperskiy.exe
                "C:\Users\Admin\AppData\Roaming\kasperskiy.exe"
                7⤵
                • Drops startup file
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\FM1GV0nwV6NBGMhpkFkspN3EXmNiKp.vbs

    Filesize

    116B

    MD5

    5253157db7b043f538a1f416835f254c

    SHA1

    f83c5e3f6133b92ffe2e8f8c6c05d95efe434414

    SHA256

    5b632746488d9fa873ac24438337bf4db9653c2bac58a5038ff81e13b460448a

    SHA512

    4709a2d6829fdecdfdbb02421bcd92ec1df7c842eb0565d63bdcc121fe7c1eb11d032f62f07d4a4125b2a8412a5703084aa42c54de9ba0f12a151e4c6adf19f1

  • C:\Users\Admin\AppData\Roaming\System.lnk

    Filesize

    1KB

    MD5

    c2c6568d9deea7955d7ecc1b9b313a5b

    SHA1

    cd5fe4740f63e8d454738c4158db6b7bd58ec9b9

    SHA256

    106fd8f17fcb58360a02215baf7c562ca1a572fb41d109ced27138086ff1133e

    SHA512

    26366914e439c74a2a3d9d6a340e34e9a98cfec08833404683bcc050dd1ea66d612e8b91fc8d8cf7181911154edeb52e8b97333f20c139b447814e5e7b4a2735

  • C:\Users\Admin\AppData\Roaming\System.vbe

    Filesize

    364B

    MD5

    3889b1a5f010ce2cdae701aa12e12748

    SHA1

    888f40b996c0cf3312de3fdfff2e30b8e6576c85

    SHA256

    9fea306141dd85b2876bb7cbb2b2abfd724854f72bd27ceef82803fc8219d035

    SHA512

    f8622c460cd50c7b33f58b711ddf442d3f9906ccd74fdaffd5deafc1340aa159b15eea2b18490243dc1779fef6bc10e8edf17f383745efe745378a82d9a760bd

  • C:\Users\Admin\AppData\Roaming\fV2k5DsZiGZrbZzOAu29ftdemcCJJ1.bat

    Filesize

    723B

    MD5

    1cc1057e91edd02ce3af9a6a193b2520

    SHA1

    842f11d646906fe671970a51bebc645200af733b

    SHA256

    5903cb7ab21cccf29725cac35a4db516c5d586f3a9bea52b4335f80d91b48eef

    SHA512

    9e966d6de171230c7d8156a587960dedabfb46d3430155f421ee5befcf77577217c99190f74c565ba07a502bcc69e65bc6568b12700345618be2cb16ba68a73c

  • C:\Users\Admin\AppData\Roaming\rDsNawCN4GJP9CexwTN1QKqyWf0dob.bat

    Filesize

    100B

    MD5

    a0c2c81f8c81da5f49ab2835e468a304

    SHA1

    9041173a0baa1a6e840f2fbc0a76ab01726292b6

    SHA256

    3e280177c9acc9a20336f14086bb1fed8ce63eacf8f4aae08015538b0ee76168

    SHA512

    9835061782b222becd2b9128d97789844916f4ec76a987d95885733c3c9c80769f6aa3f8d74a3295e0528556d0958188df7394d6e7828371f6c4bd413aafa7ae

  • C:\Users\Admin\AppData\Roaming\vmcheck32.dll

    Filesize

    684B

    MD5

    0c62f61d9b8c9a9d88924b59f00fa804

    SHA1

    8c918348c04b7f9c514b0d3d0b9d30700ac2e41e

    SHA256

    f07a6667289d38a1aa11e85a92c4d3de74b28b80e17af777f9f6a2e370b2af16

    SHA512

    a29c75ed94c6fb70108fe1ed4b8aa96867f4ff2cc27e9cb4b7ec3dfd5fb34e64fc4b957c0e306709fe7c38aea0330ad4e40cfdfa5c491f022c3277d87411d056

  • \Users\Admin\AppData\Roaming\AVvht7K88OJxvVRxYaye.exe

    Filesize

    1.5MB

    MD5

    07deb9adc1b5c6b6c0654c589b593b2a

    SHA1

    d636fcdece4747ea544554799e65f9d8e9ae2b41

    SHA256

    06b4ab5add1e394b089c9552bc4e2ad742093af6129d927cf38206d9f9d9297d

    SHA512

    97249b09693073f449f6981493c9f92543085ae0033c8759d22e6aee93e049656d2cd87a53fb90b4db81ccb38dde88a26ce3f47e1c70ab164dbd509a13a245c1

  • \Users\Admin\AppData\Roaming\kasperskiy.exe

    Filesize

    1.9MB

    MD5

    ecf4b9b54c43151ea020b003e1db2fc9

    SHA1

    441252d8a0bb62cae18c692c3e52e876485c404b

    SHA256

    3eedee6c55f3c66b94413397fdf4b4fda05e7706bf9ba99df1090508986180a2

    SHA512

    b79a66f95c33f2bceca6f8319130dd6f9fa6807ed11eb9139ef8e5bcc604917925fb6f8f33dfc54aae3e1c1681216be5551a266f8344a8c71846f724544c975d

  • memory/1708-0-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

  • memory/1708-1-0x0000000076FB0000-0x0000000076FB1000-memory.dmp

    Filesize

    4KB

  • memory/1708-11-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

  • memory/2776-36-0x0000000000370000-0x0000000000564000-memory.dmp

    Filesize

    2.0MB