Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-07-2024 00:46
Static task
static1
Behavioral task
behavioral1
Sample
557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
557d4c09c4da24b8d5c59a91c3033093
-
SHA1
d0a604bbfe5638138cc76644c8762563762eedb0
-
SHA256
b33051a22664cdea693fbc3d6f6fa017505e6a40a65f5ebe484281d6bf661de3
-
SHA512
0aeff6d7376dafd0bcb04e62921ad4333cbaa792b81ec8a748bf9c198c43fccfc7534e6309335f1e66b50bcbb43729e6f53dc711163113e4ffc9e628b045206e
-
SSDEEP
49152:ZbA35RuRuN1Fdt3zWhjGmmTzWljOhGz9p:Zb6FHaimwyjxz9p
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\intoreview\perfnet.exe dcrat behavioral1/memory/1492-70-0x0000000001030000-0x0000000001168000-memory.dmp dcrat behavioral1/memory/1932-92-0x0000000000D90000-0x0000000000EC8000-memory.dmp dcrat -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 6 IoCs
Processes:
installer.sfx.exeinstaller.exesonarsolution.exewAxlVMFS3VFYmsuYtMNI.exeperfnet.exelsm.exepid process 2660 installer.sfx.exe 1636 installer.exe 2788 sonarsolution.exe 2724 wAxlVMFS3VFYmsuYtMNI.exe 1492 perfnet.exe 1932 lsm.exe -
Loads dropped DLL 9 IoCs
Processes:
cmd.exeinstaller.sfx.exeinstaller.execmd.execmd.exepid process 2760 cmd.exe 2660 installer.sfx.exe 2660 installer.sfx.exe 2660 installer.sfx.exe 1636 installer.exe 1636 installer.exe 1636 installer.exe 2752 cmd.exe 1068 cmd.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe upx behavioral1/memory/2788-42-0x0000000000D20000-0x0000000000DA1000-memory.dmp upx behavioral1/memory/2788-51-0x0000000000D20000-0x0000000000DA1000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
Processes:
perfnet.exedescription ioc process File created C:\Windows\SoftwareDistribution\AuthCabs\69ddcba757bf72f7d36c464c71f42baab150b2b9 perfnet.exe File created C:\Windows\SoftwareDistribution\AuthCabs\smss.exe perfnet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1592 schtasks.exe 1824 schtasks.exe 904 schtasks.exe 2032 schtasks.exe 2912 schtasks.exe 1652 schtasks.exe 1168 schtasks.exe 1184 schtasks.exe 2236 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
perfnet.exelsm.exepid process 1492 perfnet.exe 1932 lsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
perfnet.exelsm.exedescription pid process Token: SeDebugPrivilege 1492 perfnet.exe Token: SeDebugPrivilege 1932 lsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exeWScript.execmd.execmd.exeinstaller.sfx.exeinstaller.exesonarsolution.exeWScript.execmd.exewAxlVMFS3VFYmsuYtMNI.exeWScript.execmd.exeperfnet.exedescription pid process target process PID 1628 wrote to memory of 2800 1628 557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe WScript.exe PID 1628 wrote to memory of 2800 1628 557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe WScript.exe PID 1628 wrote to memory of 2800 1628 557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe WScript.exe PID 1628 wrote to memory of 2800 1628 557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe WScript.exe PID 2800 wrote to memory of 2632 2800 WScript.exe cmd.exe PID 2800 wrote to memory of 2632 2800 WScript.exe cmd.exe PID 2800 wrote to memory of 2632 2800 WScript.exe cmd.exe PID 2800 wrote to memory of 2632 2800 WScript.exe cmd.exe PID 2632 wrote to memory of 2760 2632 cmd.exe cmd.exe PID 2632 wrote to memory of 2760 2632 cmd.exe cmd.exe PID 2632 wrote to memory of 2760 2632 cmd.exe cmd.exe PID 2632 wrote to memory of 2760 2632 cmd.exe cmd.exe PID 2760 wrote to memory of 2660 2760 cmd.exe installer.sfx.exe PID 2760 wrote to memory of 2660 2760 cmd.exe installer.sfx.exe PID 2760 wrote to memory of 2660 2760 cmd.exe installer.sfx.exe PID 2760 wrote to memory of 2660 2760 cmd.exe installer.sfx.exe PID 2760 wrote to memory of 2660 2760 cmd.exe installer.sfx.exe PID 2760 wrote to memory of 2660 2760 cmd.exe installer.sfx.exe PID 2760 wrote to memory of 2660 2760 cmd.exe installer.sfx.exe PID 2660 wrote to memory of 1636 2660 installer.sfx.exe installer.exe PID 2660 wrote to memory of 1636 2660 installer.sfx.exe installer.exe PID 2660 wrote to memory of 1636 2660 installer.sfx.exe installer.exe PID 2660 wrote to memory of 1636 2660 installer.sfx.exe installer.exe PID 2660 wrote to memory of 1636 2660 installer.sfx.exe installer.exe PID 2660 wrote to memory of 1636 2660 installer.sfx.exe installer.exe PID 2660 wrote to memory of 1636 2660 installer.sfx.exe installer.exe PID 2760 wrote to memory of 2528 2760 cmd.exe attrib.exe PID 2760 wrote to memory of 2528 2760 cmd.exe attrib.exe PID 2760 wrote to memory of 2528 2760 cmd.exe attrib.exe PID 2760 wrote to memory of 2528 2760 cmd.exe attrib.exe PID 1636 wrote to memory of 2788 1636 installer.exe sonarsolution.exe PID 1636 wrote to memory of 2788 1636 installer.exe sonarsolution.exe PID 1636 wrote to memory of 2788 1636 installer.exe sonarsolution.exe PID 1636 wrote to memory of 2788 1636 installer.exe sonarsolution.exe PID 2788 wrote to memory of 2740 2788 sonarsolution.exe WScript.exe PID 2788 wrote to memory of 2740 2788 sonarsolution.exe WScript.exe PID 2788 wrote to memory of 2740 2788 sonarsolution.exe WScript.exe PID 2788 wrote to memory of 2740 2788 sonarsolution.exe WScript.exe PID 2740 wrote to memory of 2752 2740 WScript.exe cmd.exe PID 2740 wrote to memory of 2752 2740 WScript.exe cmd.exe PID 2740 wrote to memory of 2752 2740 WScript.exe cmd.exe PID 2740 wrote to memory of 2752 2740 WScript.exe cmd.exe PID 2752 wrote to memory of 2724 2752 cmd.exe wAxlVMFS3VFYmsuYtMNI.exe PID 2752 wrote to memory of 2724 2752 cmd.exe wAxlVMFS3VFYmsuYtMNI.exe PID 2752 wrote to memory of 2724 2752 cmd.exe wAxlVMFS3VFYmsuYtMNI.exe PID 2752 wrote to memory of 2724 2752 cmd.exe wAxlVMFS3VFYmsuYtMNI.exe PID 2724 wrote to memory of 2924 2724 wAxlVMFS3VFYmsuYtMNI.exe WScript.exe PID 2724 wrote to memory of 2924 2724 wAxlVMFS3VFYmsuYtMNI.exe WScript.exe PID 2724 wrote to memory of 2924 2724 wAxlVMFS3VFYmsuYtMNI.exe WScript.exe PID 2724 wrote to memory of 2924 2724 wAxlVMFS3VFYmsuYtMNI.exe WScript.exe PID 2924 wrote to memory of 1068 2924 WScript.exe cmd.exe PID 2924 wrote to memory of 1068 2924 WScript.exe cmd.exe PID 2924 wrote to memory of 1068 2924 WScript.exe cmd.exe PID 2924 wrote to memory of 1068 2924 WScript.exe cmd.exe PID 1068 wrote to memory of 1492 1068 cmd.exe perfnet.exe PID 1068 wrote to memory of 1492 1068 cmd.exe perfnet.exe PID 1068 wrote to memory of 1492 1068 cmd.exe perfnet.exe PID 1068 wrote to memory of 1492 1068 cmd.exe perfnet.exe PID 1492 wrote to memory of 2912 1492 perfnet.exe schtasks.exe PID 1492 wrote to memory of 2912 1492 perfnet.exe schtasks.exe PID 1492 wrote to memory of 2912 1492 perfnet.exe schtasks.exe PID 1492 wrote to memory of 1592 1492 perfnet.exe schtasks.exe PID 1492 wrote to memory of 1592 1492 perfnet.exe schtasks.exe PID 1492 wrote to memory of 1592 1492 perfnet.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\sonspamstart.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Temp\sonspam.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Temp\sonspam.bat" any_word4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Temp\installer.sfx.exe"installer.sfx.exe" -p123908VDS -dC:\Temp5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Temp\installer.exe"C:\Temp\installer.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\intoreview\2vQqQbwd8RhA8xKo91WLCCkE4UKwEW.vbe"8⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\intoreview\FSog5bgYZXx2rSOcSWQCeQM8Sp92ad.bat" "9⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exewAxlVMFS3VFYmsuYtMNI.exe -p172e198e773020af341caa2dc63175b338442b4510⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\intoreview\azAF0affuCzvkcFTrlYsaov0B4h3QE.vbe"11⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\intoreview\KmpmfO2s07oawbng8shc259m1CtPFQ.bat" "12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe"C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe"13⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:2912 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PerfLogs\Admin\WmiPrvSE.exe'" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:1592 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:1652 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\AuthCabs\smss.exe'" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:1168 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\PerfLogs\Admin\wininit.exe'" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:1824 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:1184 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\Documents and Settings\dwm.exe'" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:904 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Documents and Settings\sppsvc.exe'" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:2236 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\lsm.exe'" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:2032 -
C:\Users\Admin\My Documents\lsm.exe"C:\Users\Admin\My Documents\lsm.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932 -
C:\Windows\SysWOW64\attrib.exeATTRIB +S +H -R C:\Temp5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5eb3b0596ae7cb54396a1815beaede97f
SHA1f5116c7e301dd50b0c2eeb3c4459ed75321a603e
SHA256c6f2cf9b85b2ffe92ba9e2f525f024b953fa325f024c8801e3ac9523490fcf10
SHA512ce004159f8080278db308d8046e1616e997631617fd7c8928709e2fb8a4d8ded04de4bc3321d8cdf78a8f538726adb1e56c1bc4b1279d9454ace8ba257fba231
-
Filesize
167B
MD5b85cf59bcba86d882ff114d44ce2789d
SHA1efdd4b718ed0d0f8af4caabad936afb03a5447df
SHA256e26d9dec5f2cd1a0d4975da2976923c258b3edde78af028e65bd58129199a597
SHA512e466ff1c1ee7ccecaa8dcd00e1ebe809bcb51df412e25c4bf06a940f72a29105485effe7789b152ba85048882c32438ebc8cca6c06df23d8b172d96bdc70e2ef
-
Filesize
98B
MD568f47f42c9c8df4f547695c0060f7663
SHA101e85ff16492d39879958fa9471a9fd0e0013206
SHA256cb9f11054febd994ffc33d95139a5f3dc11cd6cb7ab8f87c02452854eae8081e
SHA5127ddc5350f703ca3dfa1791fdcb36475a1cf7385864e97ada728f56803e5d3fa8d4b73235241734c3dbcccb9030fb89bb0cca356a3baa9b173c6060bfd95c200d
-
Filesize
153B
MD51b9c939adc33ae74ac644998287149cc
SHA1633bd684184d9e12d13aa6c3267d80bd5d87393c
SHA2565af62663f4979b00b469cbe2f54205027a61198207ed9ac673edbc3a818e55cb
SHA512142da58ffa84e6a849247c6c593e70a405e944a171e9b1247af633fc2272a0c15b6d1fef20f35a757d8d0a6a49da8d4b9a2b0e9585288b9af1acabdb7e0fd3ae
-
Filesize
484B
MD568dc7eb71a7f95c046a63052c8331e92
SHA177224c83ad1398efab03ccfca520a83460e16d03
SHA2561d300057e2e7b1d5452d2a1eda0f95ec44b81909c02f9b3e21f86fa9001299e7
SHA5129aa8970385ba3f8e5356699486304c54432d9535b67cef37e670ae611897c2abad58fcee6e665906c62d962fc9f773363ebe36d66666cbef1e8c35aea4ccc128
-
Filesize
34B
MD58c56e629a1aec270a35c4e9958b43bfb
SHA1aa0b74c4d84fecdc34556bd4c7713bb618a5ba92
SHA256ec8e5b756c10b043930c325e6765e969aa54609b8caba84f3f2d67430d1ae7bc
SHA512a9e50c407c5c5cb621ee9aab8124bf38707d103aa21875a5fd07c7cdb7c4bce1a049ce70d0bbc75ce8008526cc3fe02a48165dcf4cb124a7ab69784b2750c43a
-
Filesize
229B
MD53d85f3996a95493013590846632e86f6
SHA19b9e935e3ae296a16d0fb08b7809d39d17f715e5
SHA256b19f5cce6fe7ac54964e3dc373a4c54020ca89f9f7eb602a06f830c9be70f00a
SHA512bcaf9930653a75640daec31a839c9a38fc1678abf8e2c96ffb56fbe05dfb15abbbb3040ac066003e5bd485c56aac9d3ee89f689d49b72a5fc328d64f13b8df65
-
Filesize
1.2MB
MD5849eb64e16678f93dab5d31e6f62eb95
SHA1ee92d61555b766921daa006a56c62d2e43e01fb5
SHA2563724cd2e908f3a69f1f55c41d6e6e1cfb2bad3fcba3557138e0eadd5e5e9e058
SHA512d9cded5e8d425f5528981d1faa5820f1f2330f00c80d2699947a5eedb3895a24d9f6cf4b2c8a9fec523d9746131f608f270a717baf4b5631eeb0d1ce8aab6c8a
-
Filesize
944KB
MD5b44452a72e44157f12e331bd4623052e
SHA1e02b7cfd576c64938827925fe215f9fce6075ac4
SHA2568f0cfa70cb8e16d2ea45230505617978bf044940cb7fd66c9ddac41c7929dd7c
SHA512698a36fb6347013ac827d3930b0d570e36870b9f40910653e72b50fec536c8429bcdcb31e9b1a7cd37bc4626402da564507307114ee2b07ba32ef701f3c27aa4
-
Filesize
1.2MB
MD5a1f2423f375be02b22175a9de219a17e
SHA1d3f0dcee37bce0952a8841dea578ba431588f621
SHA256d7da0aa06c6167b3d04faa2c808b1b68adacfb5fdd4475df76f0c75eb47eac71
SHA512e10e3be553e698edb5ef10ecac0b132203248e9b3792a3749f78c46acea0d9d4932ac07c874eb6ffd46d837bdf580d8f8778245f97c8efe7bb1fd975375537a4
-
Filesize
908KB
MD531e8f1b92ffcdd66676fcb134b225e15
SHA15c5e5795a4671c0dd1702fc4e7d1ad63f9643c58
SHA2563dd4b0cb1041bc1948404df23c0d2d362da355a90c1d2ef472a7b298cda39110
SHA512fcb0dc3b0b9893fe954fda85f36a1aae77ecc290d95db4e7844b73061f6364e1e3a5fe4ea8054185f54116052fc6ab6c0e05a1a3c31136bb904febc43c2c542f