General

  • Target

    04409dc1f7a788f5091ab75642352d77_JaffaCakes118

  • Size

    3.6MB

  • Sample

    240622-2vcppayckh

  • MD5

    04409dc1f7a788f5091ab75642352d77

  • SHA1

    9f0e0f9a3d316ed6e4ecd1172f39ec1ea2d40cfe

  • SHA256

    d96d88d32ff38d66af304993147ed3b4f415c341f0c0b1ee6a617fa8a2e8a216

  • SHA512

    f52c41ca1490ce6c1321548665ca04964b7a26c352a83222ce1efcc0f92e9400d36859634a662a3f35afbf51c834c5a18680aa3cb058d4d7c1e53d7938b8afb4

  • SSDEEP

    768:7bP3F+MN+lvbGG8cjl2pp3333333333333gqPe+Ri/PwkS7iJdJAI0xdClp37Dfq:nrjm6

Malware Config

Targets

    • Target

      04409dc1f7a788f5091ab75642352d77_JaffaCakes118

    • Size

      3.6MB

    • MD5

      04409dc1f7a788f5091ab75642352d77

    • SHA1

      9f0e0f9a3d316ed6e4ecd1172f39ec1ea2d40cfe

    • SHA256

      d96d88d32ff38d66af304993147ed3b4f415c341f0c0b1ee6a617fa8a2e8a216

    • SHA512

      f52c41ca1490ce6c1321548665ca04964b7a26c352a83222ce1efcc0f92e9400d36859634a662a3f35afbf51c834c5a18680aa3cb058d4d7c1e53d7938b8afb4

    • SSDEEP

      768:7bP3F+MN+lvbGG8cjl2pp3333333333333gqPe+Ri/PwkS7iJdJAI0xdClp37Dfq:nrjm6

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks