General
-
Target
3d05aeffc3b74289f50e0594b91c4dfe_JaffaCakes118
-
Size
1.5MB
-
Sample
240712-mmdjpasalb
-
MD5
3d05aeffc3b74289f50e0594b91c4dfe
-
SHA1
33738d6b0352dd57a1152a45337cf3a8992aad1b
-
SHA256
51308bea728273be4cfe5a808a72dd2250e5158677a1677010687d6a96df0659
-
SHA512
157e9ffd2fe90b78c940dcdc21ab08419a9545d4858082cc969e5ab693796144fdc61dcb9b72379e9c0ddd161bad985d2d5a37441daa442abee7122c5fdf0664
-
SSDEEP
24576:hmZWZvj5lD8xmUxnYwVzL47FXXKT05C7pGPmoY2Yrn48wXvHEq91ZrnEiSo27:hmZWZLQTQJXXKmC7pGPBYFrnLwfkKn7
Static task
static1
Behavioral task
behavioral1
Sample
3d05aeffc3b74289f50e0594b91c4dfe_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
3d05aeffc3b74289f50e0594b91c4dfe_JaffaCakes118.exe
Resource
win10v2004-20240709-en
Malware Config
Targets
-
-
Target
3d05aeffc3b74289f50e0594b91c4dfe_JaffaCakes118
-
Size
1.5MB
-
MD5
3d05aeffc3b74289f50e0594b91c4dfe
-
SHA1
33738d6b0352dd57a1152a45337cf3a8992aad1b
-
SHA256
51308bea728273be4cfe5a808a72dd2250e5158677a1677010687d6a96df0659
-
SHA512
157e9ffd2fe90b78c940dcdc21ab08419a9545d4858082cc969e5ab693796144fdc61dcb9b72379e9c0ddd161bad985d2d5a37441daa442abee7122c5fdf0664
-
SSDEEP
24576:hmZWZvj5lD8xmUxnYwVzL47FXXKT05C7pGPmoY2Yrn48wXvHEq91ZrnEiSo27:hmZWZLQTQJXXKmC7pGPBYFrnLwfkKn7
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1