General

  • Target

    3d05aeffc3b74289f50e0594b91c4dfe_JaffaCakes118

  • Size

    1.5MB

  • Sample

    240712-mmdjpasalb

  • MD5

    3d05aeffc3b74289f50e0594b91c4dfe

  • SHA1

    33738d6b0352dd57a1152a45337cf3a8992aad1b

  • SHA256

    51308bea728273be4cfe5a808a72dd2250e5158677a1677010687d6a96df0659

  • SHA512

    157e9ffd2fe90b78c940dcdc21ab08419a9545d4858082cc969e5ab693796144fdc61dcb9b72379e9c0ddd161bad985d2d5a37441daa442abee7122c5fdf0664

  • SSDEEP

    24576:hmZWZvj5lD8xmUxnYwVzL47FXXKT05C7pGPmoY2Yrn48wXvHEq91ZrnEiSo27:hmZWZLQTQJXXKmC7pGPBYFrnLwfkKn7

Malware Config

Targets

    • Target

      3d05aeffc3b74289f50e0594b91c4dfe_JaffaCakes118

    • Size

      1.5MB

    • MD5

      3d05aeffc3b74289f50e0594b91c4dfe

    • SHA1

      33738d6b0352dd57a1152a45337cf3a8992aad1b

    • SHA256

      51308bea728273be4cfe5a808a72dd2250e5158677a1677010687d6a96df0659

    • SHA512

      157e9ffd2fe90b78c940dcdc21ab08419a9545d4858082cc969e5ab693796144fdc61dcb9b72379e9c0ddd161bad985d2d5a37441daa442abee7122c5fdf0664

    • SSDEEP

      24576:hmZWZvj5lD8xmUxnYwVzL47FXXKT05C7pGPmoY2Yrn48wXvHEq91ZrnEiSo27:hmZWZLQTQJXXKmC7pGPBYFrnLwfkKn7

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks