Analysis

  • max time kernel
    141s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-07-2024 00:46

General

  • Target

    557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    557d4c09c4da24b8d5c59a91c3033093

  • SHA1

    d0a604bbfe5638138cc76644c8762563762eedb0

  • SHA256

    b33051a22664cdea693fbc3d6f6fa017505e6a40a65f5ebe484281d6bf661de3

  • SHA512

    0aeff6d7376dafd0bcb04e62921ad4333cbaa792b81ec8a748bf9c198c43fccfc7534e6309335f1e66b50bcbb43729e6f53dc711163113e4ffc9e628b045206e

  • SSDEEP

    49152:ZbA35RuRuN1Fdt3zWhjGmmTzWljOhGz9p:Zb6FHaimwyjxz9p

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4192
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Temp\sonspamstart.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3444
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Temp\sonspam.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2464
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "C:\Temp\sonspam.bat" any_word
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2940
          • C:\Temp\installer.sfx.exe
            "installer.sfx.exe" -p123908VDS -dC:\Temp
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4932
            • C:\Temp\installer.exe
              "C:\Temp\installer.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4336
              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe
                "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1404
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\intoreview\2vQqQbwd8RhA8xKo91WLCCkE4UKwEW.vbe"
                  8⤵
                  • Checks computer location settings
                  • Suspicious use of WriteProcessMemory
                  PID:4724
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\intoreview\FSog5bgYZXx2rSOcSWQCeQM8Sp92ad.bat" "
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4296
                    • C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe
                      wAxlVMFS3VFYmsuYtMNI.exe -p172e198e773020af341caa2dc63175b338442b45
                      10⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:4316
                      • C:\Windows\SysWOW64\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\intoreview\azAF0affuCzvkcFTrlYsaov0B4h3QE.vbe"
                        11⤵
                        • Checks computer location settings
                        • Suspicious use of WriteProcessMemory
                        PID:224
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\intoreview\KmpmfO2s07oawbng8shc259m1CtPFQ.bat" "
                          12⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4916
                          • C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe
                            "C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe"
                            13⤵
                            • Executes dropped EXE
                            • Drops file in Program Files directory
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:1620
                            • C:\Windows\SYSTEM32\schtasks.exe
                              "schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Documents and Settings\OfficeClickToRun.exe'" /rl HIGHEST /f
                              14⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:2852
                            • C:\Windows\SYSTEM32\schtasks.exe
                              "schtasks" /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                              14⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:3684
                            • C:\Windows\SYSTEM32\schtasks.exe
                              "schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\conhost.exe'" /rl HIGHEST /f
                              14⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:2364
                            • C:\Windows\SYSTEM32\schtasks.exe
                              "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
                              14⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:4452
                            • C:\Recovery\WindowsRE\smss.exe
                              "C:\Recovery\WindowsRE\smss.exe"
                              14⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:596
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB +S +H -R C:\Temp
            5⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:3900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Temp\installer.exe

    Filesize

    1.2MB

    MD5

    849eb64e16678f93dab5d31e6f62eb95

    SHA1

    ee92d61555b766921daa006a56c62d2e43e01fb5

    SHA256

    3724cd2e908f3a69f1f55c41d6e6e1cfb2bad3fcba3557138e0eadd5e5e9e058

    SHA512

    d9cded5e8d425f5528981d1faa5820f1f2330f00c80d2699947a5eedb3895a24d9f6cf4b2c8a9fec523d9746131f608f270a717baf4b5631eeb0d1ce8aab6c8a

  • C:\Temp\installer.sfx.exe

    Filesize

    1.4MB

    MD5

    eb3b0596ae7cb54396a1815beaede97f

    SHA1

    f5116c7e301dd50b0c2eeb3c4459ed75321a603e

    SHA256

    c6f2cf9b85b2ffe92ba9e2f525f024b953fa325f024c8801e3ac9523490fcf10

    SHA512

    ce004159f8080278db308d8046e1616e997631617fd7c8928709e2fb8a4d8ded04de4bc3321d8cdf78a8f538726adb1e56c1bc4b1279d9454ace8ba257fba231

  • C:\Temp\sonspam.bat

    Filesize

    167B

    MD5

    b85cf59bcba86d882ff114d44ce2789d

    SHA1

    efdd4b718ed0d0f8af4caabad936afb03a5447df

    SHA256

    e26d9dec5f2cd1a0d4975da2976923c258b3edde78af028e65bd58129199a597

    SHA512

    e466ff1c1ee7ccecaa8dcd00e1ebe809bcb51df412e25c4bf06a940f72a29105485effe7789b152ba85048882c32438ebc8cca6c06df23d8b172d96bdc70e2ef

  • C:\Temp\sonspamstart.vbs

    Filesize

    98B

    MD5

    68f47f42c9c8df4f547695c0060f7663

    SHA1

    01e85ff16492d39879958fa9471a9fd0e0013206

    SHA256

    cb9f11054febd994ffc33d95139a5f3dc11cd6cb7ab8f87c02452854eae8081e

    SHA512

    7ddc5350f703ca3dfa1791fdcb36475a1cf7385864e97ada728f56803e5d3fa8d4b73235241734c3dbcccb9030fb89bb0cca356a3baa9b173c6060bfd95c200d

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe

    Filesize

    944KB

    MD5

    b44452a72e44157f12e331bd4623052e

    SHA1

    e02b7cfd576c64938827925fe215f9fce6075ac4

    SHA256

    8f0cfa70cb8e16d2ea45230505617978bf044940cb7fd66c9ddac41c7929dd7c

    SHA512

    698a36fb6347013ac827d3930b0d570e36870b9f40910653e72b50fec536c8429bcdcb31e9b1a7cd37bc4626402da564507307114ee2b07ba32ef701f3c27aa4

  • C:\Users\Admin\AppData\Roaming\intoreview\2vQqQbwd8RhA8xKo91WLCCkE4UKwEW.vbe

    Filesize

    153B

    MD5

    1b9c939adc33ae74ac644998287149cc

    SHA1

    633bd684184d9e12d13aa6c3267d80bd5d87393c

    SHA256

    5af62663f4979b00b469cbe2f54205027a61198207ed9ac673edbc3a818e55cb

    SHA512

    142da58ffa84e6a849247c6c593e70a405e944a171e9b1247af633fc2272a0c15b6d1fef20f35a757d8d0a6a49da8d4b9a2b0e9585288b9af1acabdb7e0fd3ae

  • C:\Users\Admin\AppData\Roaming\intoreview\FSog5bgYZXx2rSOcSWQCeQM8Sp92ad.bat

    Filesize

    484B

    MD5

    68dc7eb71a7f95c046a63052c8331e92

    SHA1

    77224c83ad1398efab03ccfca520a83460e16d03

    SHA256

    1d300057e2e7b1d5452d2a1eda0f95ec44b81909c02f9b3e21f86fa9001299e7

    SHA512

    9aa8970385ba3f8e5356699486304c54432d9535b67cef37e670ae611897c2abad58fcee6e665906c62d962fc9f773363ebe36d66666cbef1e8c35aea4ccc128

  • C:\Users\Admin\AppData\Roaming\intoreview\KmpmfO2s07oawbng8shc259m1CtPFQ.bat

    Filesize

    34B

    MD5

    8c56e629a1aec270a35c4e9958b43bfb

    SHA1

    aa0b74c4d84fecdc34556bd4c7713bb618a5ba92

    SHA256

    ec8e5b756c10b043930c325e6765e969aa54609b8caba84f3f2d67430d1ae7bc

    SHA512

    a9e50c407c5c5cb621ee9aab8124bf38707d103aa21875a5fd07c7cdb7c4bce1a049ce70d0bbc75ce8008526cc3fe02a48165dcf4cb124a7ab69784b2750c43a

  • C:\Users\Admin\AppData\Roaming\intoreview\azAF0affuCzvkcFTrlYsaov0B4h3QE.vbe

    Filesize

    229B

    MD5

    3d85f3996a95493013590846632e86f6

    SHA1

    9b9e935e3ae296a16d0fb08b7809d39d17f715e5

    SHA256

    b19f5cce6fe7ac54964e3dc373a4c54020ca89f9f7eb602a06f830c9be70f00a

    SHA512

    bcaf9930653a75640daec31a839c9a38fc1678abf8e2c96ffb56fbe05dfb15abbbb3040ac066003e5bd485c56aac9d3ee89f689d49b72a5fc328d64f13b8df65

  • C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe

    Filesize

    1.2MB

    MD5

    a1f2423f375be02b22175a9de219a17e

    SHA1

    d3f0dcee37bce0952a8841dea578ba431588f621

    SHA256

    d7da0aa06c6167b3d04faa2c808b1b68adacfb5fdd4475df76f0c75eb47eac71

    SHA512

    e10e3be553e698edb5ef10ecac0b132203248e9b3792a3749f78c46acea0d9d4932ac07c874eb6ffd46d837bdf580d8f8778245f97c8efe7bb1fd975375537a4

  • C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exe

    Filesize

    908KB

    MD5

    31e8f1b92ffcdd66676fcb134b225e15

    SHA1

    5c5e5795a4671c0dd1702fc4e7d1ad63f9643c58

    SHA256

    3dd4b0cb1041bc1948404df23c0d2d362da355a90c1d2ef472a7b298cda39110

    SHA512

    fcb0dc3b0b9893fe954fda85f36a1aae77ecc290d95db4e7844b73061f6364e1e3a5fe4ea8054185f54116052fc6ab6c0e05a1a3c31136bb904febc43c2c542f

  • memory/1404-41-0x00000000003A0000-0x0000000000421000-memory.dmp

    Filesize

    516KB

  • memory/1404-31-0x00000000003A0000-0x0000000000421000-memory.dmp

    Filesize

    516KB

  • memory/1620-58-0x000001E1A9BE0000-0x000001E1A9D18000-memory.dmp

    Filesize

    1.2MB