Analysis
-
max time kernel
146s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2024 02:59
Static task
static1
Behavioral task
behavioral1
Sample
5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe
-
Size
3.9MB
-
MD5
5a33e9b9c627ea6bce5e8d0ca829176e
-
SHA1
013051e396b1a1e785d22e5527efdee96e60b05d
-
SHA256
6064b9d452f32cf09e464f17381b9f04fe929c8ed35f43772def8556eadec550
-
SHA512
982ee4b6a05f2a9c38d4722c5eba5fb14260dd3bcd7f6626a050c2a9fd48f10c693901e8c021bc12367ef60f8ad4899e4fb3f10d7f2aa5706d1e822b0ee79576
-
SSDEEP
98304:DkwBHjSM12JtDpJX2c+4uXzwcMSdT23sEeKGSxzEceeVTUg:DkbM12JVrXL+4umSV23+WIgVTUg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule C:\dhcpbroker\intocrt.exe dcrat behavioral2/memory/3048-204-0x0000013100670000-0x00000131006E6000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exeDCrmiZ.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation 5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation DCrmiZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 4 IoCs
Processes:
skinchanger_csgo_08.02.2021.exeDCrmiZ.exeintocrt.exeWaaSMedicAgent.exepid process 4856 skinchanger_csgo_08.02.2021.exe 4136 DCrmiZ.exe 3048 intocrt.exe 4148 WaaSMedicAgent.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
intocrt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\WaaSMedicAgent.exe\"" intocrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Vss\\Writers\\Application\\Idle.exe\"" intocrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Documents and Settings\\RuntimeBroker.exe\"" intocrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\intocrt = "\"C:\\Recovery\\WindowsRE\\intocrt.exe\"" intocrt.exe -
Drops file in Windows directory 3 IoCs
Processes:
intocrt.exedescription ioc process File opened for modification C:\Windows\Vss\Writers\Application\Idle.exe intocrt.exe File created C:\Windows\Vss\Writers\Application\6ccacd8608530fba3a93e87ae2225c7032aa18c1 intocrt.exe File created C:\Windows\Vss\Writers\Application\Idle.exe intocrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
DCrmiZ.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings DCrmiZ.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4060 schtasks.exe 3336 schtasks.exe 536 schtasks.exe 4448 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
intocrt.exeWaaSMedicAgent.exepid process 3048 intocrt.exe 3048 intocrt.exe 4148 WaaSMedicAgent.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
intocrt.exeWaaSMedicAgent.exedescription pid process Token: SeDebugPrivilege 3048 intocrt.exe Token: SeDebugPrivilege 4148 WaaSMedicAgent.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
javaw.exepid process 5032 javaw.exe 5032 javaw.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exeskinchanger_csgo_08.02.2021.exeDCrmiZ.exeWScript.execmd.exeintocrt.exedescription pid process target process PID 548 wrote to memory of 4856 548 5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe skinchanger_csgo_08.02.2021.exe PID 548 wrote to memory of 4856 548 5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe skinchanger_csgo_08.02.2021.exe PID 548 wrote to memory of 4856 548 5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe skinchanger_csgo_08.02.2021.exe PID 548 wrote to memory of 4136 548 5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe DCrmiZ.exe PID 548 wrote to memory of 4136 548 5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe DCrmiZ.exe PID 548 wrote to memory of 4136 548 5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe DCrmiZ.exe PID 4856 wrote to memory of 5032 4856 skinchanger_csgo_08.02.2021.exe javaw.exe PID 4856 wrote to memory of 5032 4856 skinchanger_csgo_08.02.2021.exe javaw.exe PID 4136 wrote to memory of 3600 4136 DCrmiZ.exe WScript.exe PID 4136 wrote to memory of 3600 4136 DCrmiZ.exe WScript.exe PID 4136 wrote to memory of 3600 4136 DCrmiZ.exe WScript.exe PID 3600 wrote to memory of 4616 3600 WScript.exe cmd.exe PID 3600 wrote to memory of 4616 3600 WScript.exe cmd.exe PID 3600 wrote to memory of 4616 3600 WScript.exe cmd.exe PID 4616 wrote to memory of 3048 4616 cmd.exe intocrt.exe PID 4616 wrote to memory of 3048 4616 cmd.exe intocrt.exe PID 3048 wrote to memory of 4448 3048 intocrt.exe schtasks.exe PID 3048 wrote to memory of 4448 3048 intocrt.exe schtasks.exe PID 3048 wrote to memory of 4060 3048 intocrt.exe schtasks.exe PID 3048 wrote to memory of 4060 3048 intocrt.exe schtasks.exe PID 3048 wrote to memory of 3336 3048 intocrt.exe schtasks.exe PID 3048 wrote to memory of 3336 3048 intocrt.exe schtasks.exe PID 3048 wrote to memory of 536 3048 intocrt.exe schtasks.exe PID 3048 wrote to memory of 536 3048 intocrt.exe schtasks.exe PID 3048 wrote to memory of 4148 3048 intocrt.exe WaaSMedicAgent.exe PID 3048 wrote to memory of 4148 3048 intocrt.exe WaaSMedicAgent.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5a33e9b9c627ea6bce5e8d0ca829176e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe"C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xms64m -Xmx128m -jar "C:\Users\Admin\AppData\Local\Temp\skinchanger_csgo_08.02.2021.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe"C:\Users\Admin\AppData\Local\Temp\DCrmiZ.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\dhcpbroker\LboxPbvRMQFdTG327MfoAXtGOluFbW.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\dhcpbroker\KTNvVUs7rCbjeE6SfbcNAGzeGA6bfl.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\dhcpbroker\intocrt.exe"C:\dhcpbroker\intocrt.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\Idle.exe'" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:4448 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Documents and Settings\RuntimeBroker.exe'" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:4060 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "intocrt" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\intocrt.exe'" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:3336 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\ProgramData\Oracle\Java\.oracle_jre_usage\WaaSMedicAgent.exe'" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:536 -
C:\ProgramData\Oracle\Java\.oracle_jre_usage\WaaSMedicAgent.exe"C:\ProgramData\Oracle\Java\.oracle_jre_usage\WaaSMedicAgent.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4148
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
444KB
MD538e6a371b9b49ac702d736ce075720cf
SHA1fc45fe7359a82b3dac083d7e7db8a81f8d4f3d43
SHA256a043fa5ebafa40a931a1efcb3addf8e9a6e15c964d5fb3621a19640305e46e9c
SHA512f4f37c236059ca103177a7afc896a9753a416d0cf9b1f47874aa25a2beafbf7a2b359091cac29fa33588532f2ca809b8d1c78ce6532cf7516ad23501520d0fd4
-
Filesize
4.0MB
MD5d1f66e48b6142bc32afbb7c3643f95cf
SHA1d25c69dfb6636dec0b3785e976d95abee5dbd75d
SHA256f30235dde35a1e71d2885f6f84adaa6a16214692e984211c64d1ad7b5adc10a8
SHA5129a2be6d06914c9f02f40581e65246ea80dbacbafca8bc9343bf5c09f5544c1024d39a3af91ff0cad898d0217b0fdf993fa25db1e781a0a05aa1f469791552b17
-
Filesize
27B
MD5b6d7b2fd5e3c8f474280e1ba4204842e
SHA12d4a6cf418bbbaaa62b1e1aaa83a093046a925cb
SHA256f26d4068d07f5b1b1f49c33611cbc27a7faba8936e71b6c90911e160d5489c11
SHA512e3cbd02b67d6de805e3083492fbf4339537b9f164f10bbfea24b29f2e527eb486992d56f53d111dc07f9ac68f343b90617f985d3462b4845511cab1f9fc1131e
-
Filesize
222B
MD508dc32b1d4cdcf5a2f704fc5ceabe2b7
SHA1d166caaed25c6f0660bcadb4d914d2ca37338bd3
SHA256afded55b6d7bd3c7971283d1483a1f678f9898744ce8de8d2e2338a52042cf9d
SHA5128f5588dc392d9b23a7306a8196727364ddcece8f8df6ebf77a3230796119f0be4957d724936f589ec95a41e2ce5c3f596d6191bcac1c7ac84e3afa5b6aca5051
-
Filesize
444KB
MD5be47c79de361e8b5c036c6a025c5244b
SHA1d68fa5f0de905e6ec474e7232da445bcdefc7c2c
SHA2567775fde3daf8cf53361e33c23addc126dc1f3e9ddd9c4cf587a0e755e680086c
SHA512aead9390e3ed14315cbd5d27022f3c4f9a396da3a1547db598f6258f62377c5836bb0f93d970c25a075950904732f753797856981baf52cf901e4c26c8c9afcf