Analysis
-
max time kernel
141s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2024 00:46
Static task
static1
Behavioral task
behavioral1
Sample
557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
557d4c09c4da24b8d5c59a91c3033093
-
SHA1
d0a604bbfe5638138cc76644c8762563762eedb0
-
SHA256
b33051a22664cdea693fbc3d6f6fa017505e6a40a65f5ebe484281d6bf661de3
-
SHA512
0aeff6d7376dafd0bcb04e62921ad4333cbaa792b81ec8a748bf9c198c43fccfc7534e6309335f1e66b50bcbb43729e6f53dc711163113e4ffc9e628b045206e
-
SSDEEP
49152:ZbA35RuRuN1Fdt3zWhjGmmTzWljOhGz9p:Zb6FHaimwyjxz9p
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe dcrat behavioral2/memory/1620-58-0x000001E1A9BE0000-0x000001E1A9D18000-memory.dmp dcrat -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
installer.exesonarsolution.exeWScript.exewAxlVMFS3VFYmsuYtMNI.exeWScript.exe557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exeWScript.exeinstaller.sfx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation installer.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation sonarsolution.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation wAxlVMFS3VFYmsuYtMNI.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation 557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation installer.sfx.exe -
Executes dropped EXE 6 IoCs
Processes:
installer.sfx.exeinstaller.exesonarsolution.exewAxlVMFS3VFYmsuYtMNI.exeperfnet.exesmss.exepid process 4932 installer.sfx.exe 4336 installer.exe 1404 sonarsolution.exe 4316 wAxlVMFS3VFYmsuYtMNI.exe 1620 perfnet.exe 596 smss.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe upx behavioral2/memory/1404-31-0x00000000003A0000-0x0000000000421000-memory.dmp upx behavioral2/memory/1404-41-0x00000000003A0000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
Processes:
perfnet.exedescription ioc process File created C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe perfnet.exe File created C:\Program Files (x86)\Windows Mail\55b276f4edf653fe07efe8f1ecc32d3d195abd16 perfnet.exe File created C:\Program Files\Windows NT\Accessories\en-US\conhost.exe perfnet.exe File created C:\Program Files\Windows NT\Accessories\en-US\088424020bedd6b28ac7fd22ee35dcd7322895ce perfnet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
Processes:
557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exesonarsolution.exewAxlVMFS3VFYmsuYtMNI.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings 557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings sonarsolution.exe Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings wAxlVMFS3VFYmsuYtMNI.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2852 schtasks.exe 3684 schtasks.exe 2364 schtasks.exe 4452 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
perfnet.exesmss.exepid process 1620 perfnet.exe 596 smss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
perfnet.exesmss.exedescription pid process Token: SeDebugPrivilege 1620 perfnet.exe Token: SeDebugPrivilege 596 smss.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exeWScript.execmd.execmd.exeinstaller.sfx.exeinstaller.exesonarsolution.exeWScript.execmd.exewAxlVMFS3VFYmsuYtMNI.exeWScript.execmd.exeperfnet.exedescription pid process target process PID 4192 wrote to memory of 3444 4192 557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe WScript.exe PID 4192 wrote to memory of 3444 4192 557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe WScript.exe PID 4192 wrote to memory of 3444 4192 557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe WScript.exe PID 3444 wrote to memory of 2464 3444 WScript.exe cmd.exe PID 3444 wrote to memory of 2464 3444 WScript.exe cmd.exe PID 3444 wrote to memory of 2464 3444 WScript.exe cmd.exe PID 2464 wrote to memory of 2940 2464 cmd.exe cmd.exe PID 2464 wrote to memory of 2940 2464 cmd.exe cmd.exe PID 2464 wrote to memory of 2940 2464 cmd.exe cmd.exe PID 2940 wrote to memory of 4932 2940 cmd.exe installer.sfx.exe PID 2940 wrote to memory of 4932 2940 cmd.exe installer.sfx.exe PID 2940 wrote to memory of 4932 2940 cmd.exe installer.sfx.exe PID 4932 wrote to memory of 4336 4932 installer.sfx.exe installer.exe PID 4932 wrote to memory of 4336 4932 installer.sfx.exe installer.exe PID 4932 wrote to memory of 4336 4932 installer.sfx.exe installer.exe PID 2940 wrote to memory of 3900 2940 cmd.exe attrib.exe PID 2940 wrote to memory of 3900 2940 cmd.exe attrib.exe PID 2940 wrote to memory of 3900 2940 cmd.exe attrib.exe PID 4336 wrote to memory of 1404 4336 installer.exe sonarsolution.exe PID 4336 wrote to memory of 1404 4336 installer.exe sonarsolution.exe PID 4336 wrote to memory of 1404 4336 installer.exe sonarsolution.exe PID 1404 wrote to memory of 4724 1404 sonarsolution.exe WScript.exe PID 1404 wrote to memory of 4724 1404 sonarsolution.exe WScript.exe PID 1404 wrote to memory of 4724 1404 sonarsolution.exe WScript.exe PID 4724 wrote to memory of 4296 4724 WScript.exe cmd.exe PID 4724 wrote to memory of 4296 4724 WScript.exe cmd.exe PID 4724 wrote to memory of 4296 4724 WScript.exe cmd.exe PID 4296 wrote to memory of 4316 4296 cmd.exe wAxlVMFS3VFYmsuYtMNI.exe PID 4296 wrote to memory of 4316 4296 cmd.exe wAxlVMFS3VFYmsuYtMNI.exe PID 4296 wrote to memory of 4316 4296 cmd.exe wAxlVMFS3VFYmsuYtMNI.exe PID 4316 wrote to memory of 224 4316 wAxlVMFS3VFYmsuYtMNI.exe WScript.exe PID 4316 wrote to memory of 224 4316 wAxlVMFS3VFYmsuYtMNI.exe WScript.exe PID 4316 wrote to memory of 224 4316 wAxlVMFS3VFYmsuYtMNI.exe WScript.exe PID 224 wrote to memory of 4916 224 WScript.exe cmd.exe PID 224 wrote to memory of 4916 224 WScript.exe cmd.exe PID 224 wrote to memory of 4916 224 WScript.exe cmd.exe PID 4916 wrote to memory of 1620 4916 cmd.exe perfnet.exe PID 4916 wrote to memory of 1620 4916 cmd.exe perfnet.exe PID 1620 wrote to memory of 2852 1620 perfnet.exe schtasks.exe PID 1620 wrote to memory of 2852 1620 perfnet.exe schtasks.exe PID 1620 wrote to memory of 3684 1620 perfnet.exe schtasks.exe PID 1620 wrote to memory of 3684 1620 perfnet.exe schtasks.exe PID 1620 wrote to memory of 2364 1620 perfnet.exe schtasks.exe PID 1620 wrote to memory of 2364 1620 perfnet.exe schtasks.exe PID 1620 wrote to memory of 4452 1620 perfnet.exe schtasks.exe PID 1620 wrote to memory of 4452 1620 perfnet.exe schtasks.exe PID 1620 wrote to memory of 596 1620 perfnet.exe smss.exe PID 1620 wrote to memory of 596 1620 perfnet.exe smss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\557d4c09c4da24b8d5c59a91c3033093_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\sonspamstart.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\sonspam.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Temp\sonspam.bat" any_word4⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Temp\installer.sfx.exe"installer.sfx.exe" -p123908VDS -dC:\Temp5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Temp\installer.exe"C:\Temp\installer.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\intoreview\2vQqQbwd8RhA8xKo91WLCCkE4UKwEW.vbe"8⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\intoreview\FSog5bgYZXx2rSOcSWQCeQM8Sp92ad.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exewAxlVMFS3VFYmsuYtMNI.exe -p172e198e773020af341caa2dc63175b338442b4510⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\intoreview\azAF0affuCzvkcFTrlYsaov0B4h3QE.vbe"11⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\intoreview\KmpmfO2s07oawbng8shc259m1CtPFQ.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe"C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe"13⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Documents and Settings\OfficeClickToRun.exe'" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:2852 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:3684 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\conhost.exe'" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:2364 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:4452 -
C:\Recovery\WindowsRE\smss.exe"C:\Recovery\WindowsRE\smss.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:596 -
C:\Windows\SysWOW64\attrib.exeATTRIB +S +H -R C:\Temp5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5849eb64e16678f93dab5d31e6f62eb95
SHA1ee92d61555b766921daa006a56c62d2e43e01fb5
SHA2563724cd2e908f3a69f1f55c41d6e6e1cfb2bad3fcba3557138e0eadd5e5e9e058
SHA512d9cded5e8d425f5528981d1faa5820f1f2330f00c80d2699947a5eedb3895a24d9f6cf4b2c8a9fec523d9746131f608f270a717baf4b5631eeb0d1ce8aab6c8a
-
Filesize
1.4MB
MD5eb3b0596ae7cb54396a1815beaede97f
SHA1f5116c7e301dd50b0c2eeb3c4459ed75321a603e
SHA256c6f2cf9b85b2ffe92ba9e2f525f024b953fa325f024c8801e3ac9523490fcf10
SHA512ce004159f8080278db308d8046e1616e997631617fd7c8928709e2fb8a4d8ded04de4bc3321d8cdf78a8f538726adb1e56c1bc4b1279d9454ace8ba257fba231
-
Filesize
167B
MD5b85cf59bcba86d882ff114d44ce2789d
SHA1efdd4b718ed0d0f8af4caabad936afb03a5447df
SHA256e26d9dec5f2cd1a0d4975da2976923c258b3edde78af028e65bd58129199a597
SHA512e466ff1c1ee7ccecaa8dcd00e1ebe809bcb51df412e25c4bf06a940f72a29105485effe7789b152ba85048882c32438ebc8cca6c06df23d8b172d96bdc70e2ef
-
Filesize
98B
MD568f47f42c9c8df4f547695c0060f7663
SHA101e85ff16492d39879958fa9471a9fd0e0013206
SHA256cb9f11054febd994ffc33d95139a5f3dc11cd6cb7ab8f87c02452854eae8081e
SHA5127ddc5350f703ca3dfa1791fdcb36475a1cf7385864e97ada728f56803e5d3fa8d4b73235241734c3dbcccb9030fb89bb0cca356a3baa9b173c6060bfd95c200d
-
Filesize
944KB
MD5b44452a72e44157f12e331bd4623052e
SHA1e02b7cfd576c64938827925fe215f9fce6075ac4
SHA2568f0cfa70cb8e16d2ea45230505617978bf044940cb7fd66c9ddac41c7929dd7c
SHA512698a36fb6347013ac827d3930b0d570e36870b9f40910653e72b50fec536c8429bcdcb31e9b1a7cd37bc4626402da564507307114ee2b07ba32ef701f3c27aa4
-
Filesize
153B
MD51b9c939adc33ae74ac644998287149cc
SHA1633bd684184d9e12d13aa6c3267d80bd5d87393c
SHA2565af62663f4979b00b469cbe2f54205027a61198207ed9ac673edbc3a818e55cb
SHA512142da58ffa84e6a849247c6c593e70a405e944a171e9b1247af633fc2272a0c15b6d1fef20f35a757d8d0a6a49da8d4b9a2b0e9585288b9af1acabdb7e0fd3ae
-
Filesize
484B
MD568dc7eb71a7f95c046a63052c8331e92
SHA177224c83ad1398efab03ccfca520a83460e16d03
SHA2561d300057e2e7b1d5452d2a1eda0f95ec44b81909c02f9b3e21f86fa9001299e7
SHA5129aa8970385ba3f8e5356699486304c54432d9535b67cef37e670ae611897c2abad58fcee6e665906c62d962fc9f773363ebe36d66666cbef1e8c35aea4ccc128
-
Filesize
34B
MD58c56e629a1aec270a35c4e9958b43bfb
SHA1aa0b74c4d84fecdc34556bd4c7713bb618a5ba92
SHA256ec8e5b756c10b043930c325e6765e969aa54609b8caba84f3f2d67430d1ae7bc
SHA512a9e50c407c5c5cb621ee9aab8124bf38707d103aa21875a5fd07c7cdb7c4bce1a049ce70d0bbc75ce8008526cc3fe02a48165dcf4cb124a7ab69784b2750c43a
-
Filesize
229B
MD53d85f3996a95493013590846632e86f6
SHA19b9e935e3ae296a16d0fb08b7809d39d17f715e5
SHA256b19f5cce6fe7ac54964e3dc373a4c54020ca89f9f7eb602a06f830c9be70f00a
SHA512bcaf9930653a75640daec31a839c9a38fc1678abf8e2c96ffb56fbe05dfb15abbbb3040ac066003e5bd485c56aac9d3ee89f689d49b72a5fc328d64f13b8df65
-
Filesize
1.2MB
MD5a1f2423f375be02b22175a9de219a17e
SHA1d3f0dcee37bce0952a8841dea578ba431588f621
SHA256d7da0aa06c6167b3d04faa2c808b1b68adacfb5fdd4475df76f0c75eb47eac71
SHA512e10e3be553e698edb5ef10ecac0b132203248e9b3792a3749f78c46acea0d9d4932ac07c874eb6ffd46d837bdf580d8f8778245f97c8efe7bb1fd975375537a4
-
Filesize
908KB
MD531e8f1b92ffcdd66676fcb134b225e15
SHA15c5e5795a4671c0dd1702fc4e7d1ad63f9643c58
SHA2563dd4b0cb1041bc1948404df23c0d2d362da355a90c1d2ef472a7b298cda39110
SHA512fcb0dc3b0b9893fe954fda85f36a1aae77ecc290d95db4e7844b73061f6364e1e3a5fe4ea8054185f54116052fc6ab6c0e05a1a3c31136bb904febc43c2c542f