General
-
Target
04409dc1f7a788f5091ab75642352d77_JaffaCakes118
-
Size
3.6MB
-
Sample
240622-2vcppayckh
-
MD5
04409dc1f7a788f5091ab75642352d77
-
SHA1
9f0e0f9a3d316ed6e4ecd1172f39ec1ea2d40cfe
-
SHA256
d96d88d32ff38d66af304993147ed3b4f415c341f0c0b1ee6a617fa8a2e8a216
-
SHA512
f52c41ca1490ce6c1321548665ca04964b7a26c352a83222ce1efcc0f92e9400d36859634a662a3f35afbf51c834c5a18680aa3cb058d4d7c1e53d7938b8afb4
-
SSDEEP
768:7bP3F+MN+lvbGG8cjl2pp3333333333333gqPe+Ri/PwkS7iJdJAI0xdClp37Dfq:nrjm6
Static task
static1
Behavioral task
behavioral1
Sample
04409dc1f7a788f5091ab75642352d77_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
04409dc1f7a788f5091ab75642352d77_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Malware Config
Targets
-
-
Target
04409dc1f7a788f5091ab75642352d77_JaffaCakes118
-
Size
3.6MB
-
MD5
04409dc1f7a788f5091ab75642352d77
-
SHA1
9f0e0f9a3d316ed6e4ecd1172f39ec1ea2d40cfe
-
SHA256
d96d88d32ff38d66af304993147ed3b4f415c341f0c0b1ee6a617fa8a2e8a216
-
SHA512
f52c41ca1490ce6c1321548665ca04964b7a26c352a83222ce1efcc0f92e9400d36859634a662a3f35afbf51c834c5a18680aa3cb058d4d7c1e53d7938b8afb4
-
SSDEEP
768:7bP3F+MN+lvbGG8cjl2pp3333333333333gqPe+Ri/PwkS7iJdJAI0xdClp37Dfq:nrjm6
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1