Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 08:14
Behavioral task
behavioral1
Sample
4a2902958e01cc91f2e71736e0de83aa_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
4a2902958e01cc91f2e71736e0de83aa_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
4a2902958e01cc91f2e71736e0de83aa_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
4a2902958e01cc91f2e71736e0de83aa
-
SHA1
dcd0b86a807feeb0aa8e1178961b2685fb5cb502
-
SHA256
c826d112cbfa6ac5f2950113046c40a0aa00bc1595a0f2019d108df02b99b0a4
-
SHA512
ba14483508d21b04f99f42f8e544af296d214569a1d0ef8bae173a6acbe84f3f5e14b6b637685b1dfd5a794b5473f7276a71d0ea039e9bdab64552b5064d3c35
-
SSDEEP
49152:P+NJvFDhjAe+RVZWI1oLTXD3+s5RHj7KoLl+c733H:0Ch3tmLTL+szfKoZT33H
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Drops startup file 4 IoCs
Processes:
kasperskiy.execmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Winlog.lnk kasperskiy.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkpHst32.lnk kasperskiy.exe -
Executes dropped EXE 2 IoCs
Processes:
AVvht7K88OJxvVRxYaye.exekasperskiy.exepid process 2796 AVvht7K88OJxvVRxYaye.exe 2776 kasperskiy.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.execmd.exepid process 2720 cmd.exe 1980 cmd.exe -
Processes:
resource yara_rule behavioral1/memory/1708-0-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/1708-11-0x0000000000400000-0x00000000004BE000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
kasperskiy.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\d3dx32 = "C:\\Users\\Admin\\AppData\\Roaming\\System.lnk" kasperskiy.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
Processes:
kasperskiy.exepid process 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe 2776 kasperskiy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
kasperskiy.exedescription pid process Token: SeDebugPrivilege 2776 kasperskiy.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
4a2902958e01cc91f2e71736e0de83aa_JaffaCakes118.exeWScript.execmd.exeAVvht7K88OJxvVRxYaye.exeWScript.execmd.exedescription pid process target process PID 1708 wrote to memory of 2564 1708 4a2902958e01cc91f2e71736e0de83aa_JaffaCakes118.exe WScript.exe PID 1708 wrote to memory of 2564 1708 4a2902958e01cc91f2e71736e0de83aa_JaffaCakes118.exe WScript.exe PID 1708 wrote to memory of 2564 1708 4a2902958e01cc91f2e71736e0de83aa_JaffaCakes118.exe WScript.exe PID 1708 wrote to memory of 2564 1708 4a2902958e01cc91f2e71736e0de83aa_JaffaCakes118.exe WScript.exe PID 2564 wrote to memory of 2720 2564 WScript.exe cmd.exe PID 2564 wrote to memory of 2720 2564 WScript.exe cmd.exe PID 2564 wrote to memory of 2720 2564 WScript.exe cmd.exe PID 2564 wrote to memory of 2720 2564 WScript.exe cmd.exe PID 2720 wrote to memory of 2796 2720 cmd.exe AVvht7K88OJxvVRxYaye.exe PID 2720 wrote to memory of 2796 2720 cmd.exe AVvht7K88OJxvVRxYaye.exe PID 2720 wrote to memory of 2796 2720 cmd.exe AVvht7K88OJxvVRxYaye.exe PID 2720 wrote to memory of 2796 2720 cmd.exe AVvht7K88OJxvVRxYaye.exe PID 2796 wrote to memory of 3000 2796 AVvht7K88OJxvVRxYaye.exe WScript.exe PID 2796 wrote to memory of 3000 2796 AVvht7K88OJxvVRxYaye.exe WScript.exe PID 2796 wrote to memory of 3000 2796 AVvht7K88OJxvVRxYaye.exe WScript.exe PID 2796 wrote to memory of 3000 2796 AVvht7K88OJxvVRxYaye.exe WScript.exe PID 3000 wrote to memory of 1980 3000 WScript.exe cmd.exe PID 3000 wrote to memory of 1980 3000 WScript.exe cmd.exe PID 3000 wrote to memory of 1980 3000 WScript.exe cmd.exe PID 3000 wrote to memory of 1980 3000 WScript.exe cmd.exe PID 1980 wrote to memory of 2776 1980 cmd.exe kasperskiy.exe PID 1980 wrote to memory of 2776 1980 cmd.exe kasperskiy.exe PID 1980 wrote to memory of 2776 1980 cmd.exe kasperskiy.exe PID 1980 wrote to memory of 2776 1980 cmd.exe kasperskiy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a2902958e01cc91f2e71736e0de83aa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a2902958e01cc91f2e71736e0de83aa_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\FM1GV0nwV6NBGMhpkFkspN3EXmNiKp.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\rDsNawCN4GJP9CexwTN1QKqyWf0dob.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Roaming\AVvht7K88OJxvVRxYaye.exeAVvht7K88OJxvVRxYaye.exe -p1eee374ad5fc54c69c3297f577d8316beeaaed854⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\System.vbe"5⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\fV2k5DsZiGZrbZzOAu29ftdemcCJJ1.bat" "6⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Roaming\kasperskiy.exe"C:\Users\Admin\AppData\Roaming\kasperskiy.exe"7⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
116B
MD55253157db7b043f538a1f416835f254c
SHA1f83c5e3f6133b92ffe2e8f8c6c05d95efe434414
SHA2565b632746488d9fa873ac24438337bf4db9653c2bac58a5038ff81e13b460448a
SHA5124709a2d6829fdecdfdbb02421bcd92ec1df7c842eb0565d63bdcc121fe7c1eb11d032f62f07d4a4125b2a8412a5703084aa42c54de9ba0f12a151e4c6adf19f1
-
Filesize
1KB
MD5c2c6568d9deea7955d7ecc1b9b313a5b
SHA1cd5fe4740f63e8d454738c4158db6b7bd58ec9b9
SHA256106fd8f17fcb58360a02215baf7c562ca1a572fb41d109ced27138086ff1133e
SHA51226366914e439c74a2a3d9d6a340e34e9a98cfec08833404683bcc050dd1ea66d612e8b91fc8d8cf7181911154edeb52e8b97333f20c139b447814e5e7b4a2735
-
Filesize
364B
MD53889b1a5f010ce2cdae701aa12e12748
SHA1888f40b996c0cf3312de3fdfff2e30b8e6576c85
SHA2569fea306141dd85b2876bb7cbb2b2abfd724854f72bd27ceef82803fc8219d035
SHA512f8622c460cd50c7b33f58b711ddf442d3f9906ccd74fdaffd5deafc1340aa159b15eea2b18490243dc1779fef6bc10e8edf17f383745efe745378a82d9a760bd
-
Filesize
723B
MD51cc1057e91edd02ce3af9a6a193b2520
SHA1842f11d646906fe671970a51bebc645200af733b
SHA2565903cb7ab21cccf29725cac35a4db516c5d586f3a9bea52b4335f80d91b48eef
SHA5129e966d6de171230c7d8156a587960dedabfb46d3430155f421ee5befcf77577217c99190f74c565ba07a502bcc69e65bc6568b12700345618be2cb16ba68a73c
-
Filesize
100B
MD5a0c2c81f8c81da5f49ab2835e468a304
SHA19041173a0baa1a6e840f2fbc0a76ab01726292b6
SHA2563e280177c9acc9a20336f14086bb1fed8ce63eacf8f4aae08015538b0ee76168
SHA5129835061782b222becd2b9128d97789844916f4ec76a987d95885733c3c9c80769f6aa3f8d74a3295e0528556d0958188df7394d6e7828371f6c4bd413aafa7ae
-
Filesize
684B
MD50c62f61d9b8c9a9d88924b59f00fa804
SHA18c918348c04b7f9c514b0d3d0b9d30700ac2e41e
SHA256f07a6667289d38a1aa11e85a92c4d3de74b28b80e17af777f9f6a2e370b2af16
SHA512a29c75ed94c6fb70108fe1ed4b8aa96867f4ff2cc27e9cb4b7ec3dfd5fb34e64fc4b957c0e306709fe7c38aea0330ad4e40cfdfa5c491f022c3277d87411d056
-
Filesize
1.5MB
MD507deb9adc1b5c6b6c0654c589b593b2a
SHA1d636fcdece4747ea544554799e65f9d8e9ae2b41
SHA25606b4ab5add1e394b089c9552bc4e2ad742093af6129d927cf38206d9f9d9297d
SHA51297249b09693073f449f6981493c9f92543085ae0033c8759d22e6aee93e049656d2cd87a53fb90b4db81ccb38dde88a26ce3f47e1c70ab164dbd509a13a245c1
-
Filesize
1.9MB
MD5ecf4b9b54c43151ea020b003e1db2fc9
SHA1441252d8a0bb62cae18c692c3e52e876485c404b
SHA2563eedee6c55f3c66b94413397fdf4b4fda05e7706bf9ba99df1090508986180a2
SHA512b79a66f95c33f2bceca6f8319130dd6f9fa6807ed11eb9139ef8e5bcc604917925fb6f8f33dfc54aae3e1c1681216be5551a266f8344a8c71846f724544c975d