General

  • Target

    5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118

  • Size

    1.3MB

  • Sample

    240719-xdpkpsyaqd

  • MD5

    5d329190630c5c051e1b2c4ad4c69abd

  • SHA1

    0227d4e1597ca90477cad5fc3a960f3590457031

  • SHA256

    6974f159cb6e056fd9675ec4ecb6d271a7d6bb69711a295be593091d3bcb9e45

  • SHA512

    0b0f745634bbab4234b0b8b9e5f80c9c99870fe0647afcfa88ffe1990012e9968bcf6f722d7f87c54e6cc7ca566e910a605688e7825a9b82629114f67dae69b9

  • SSDEEP

    24576:O2G/nvxW3WDkIavL5BH7pdKk+BSjLeuNVg+4u:ObA3BI+BH9uB+r

Malware Config

Targets

    • Target

      5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118

    • Size

      1.3MB

    • MD5

      5d329190630c5c051e1b2c4ad4c69abd

    • SHA1

      0227d4e1597ca90477cad5fc3a960f3590457031

    • SHA256

      6974f159cb6e056fd9675ec4ecb6d271a7d6bb69711a295be593091d3bcb9e45

    • SHA512

      0b0f745634bbab4234b0b8b9e5f80c9c99870fe0647afcfa88ffe1990012e9968bcf6f722d7f87c54e6cc7ca566e910a605688e7825a9b82629114f67dae69b9

    • SSDEEP

      24576:O2G/nvxW3WDkIavL5BH7pdKk+BSjLeuNVg+4u:ObA3BI+BH9uB+r

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks