Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 18:44
Behavioral task
behavioral1
Sample
5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
5d329190630c5c051e1b2c4ad4c69abd
-
SHA1
0227d4e1597ca90477cad5fc3a960f3590457031
-
SHA256
6974f159cb6e056fd9675ec4ecb6d271a7d6bb69711a295be593091d3bcb9e45
-
SHA512
0b0f745634bbab4234b0b8b9e5f80c9c99870fe0647afcfa88ffe1990012e9968bcf6f722d7f87c54e6cc7ca566e910a605688e7825a9b82629114f67dae69b9
-
SSDEEP
24576:O2G/nvxW3WDkIavL5BH7pdKk+BSjLeuNVg+4u:ObA3BI+BH9uB+r
Malware Config
Signatures
-
DcRat 6 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 304 schtasks.exe 1528 schtasks.exe 3004 schtasks.exe 2852 schtasks.exe 2264 schtasks.exe 1976 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 6 IoCs
Processes:
hui.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\hui\\hui.exe\"" hui.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\hui\\hui.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" hui.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\hui\\hui.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\System32\\NlsLexicons0007\\csrss.exe\"" hui.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\hui\\hui.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\System32\\NlsLexicons0007\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\"" hui.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\hui\\hui.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\System32\\NlsLexicons0007\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\", \"C:\\Windows\\System32\\D3DCompiler_47\\conhost.exe\"" hui.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\hui\\hui.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\System32\\NlsLexicons0007\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\", \"C:\\Windows\\System32\\D3DCompiler_47\\conhost.exe\", \"C:\\Documents and Settings\\WmiPrvSE.exe\"" hui.exe -
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 304 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2560 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Adobe\hui.exe dcrat behavioral1/memory/2572-13-0x0000000001300000-0x00000000013EE000-memory.dmp dcrat behavioral1/memory/2432-32-0x00000000012E0000-0x00000000013CE000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
hui.execsrss.exepid process 2572 hui.exe 2432 csrss.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2708 cmd.exe 2708 cmd.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
hui.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Documents and Settings\\WmiPrvSE.exe\"" hui.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Documents and Settings\\WmiPrvSE.exe\"" hui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\hui = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\hui\\hui.exe\"" hui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" hui.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\NlsLexicons0007\\csrss.exe\"" hui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\D3DCompiler_47\\conhost.exe\"" hui.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\"" hui.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\D3DCompiler_47\\conhost.exe\"" hui.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hui = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\hui\\hui.exe\"" hui.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" hui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\NlsLexicons0007\\csrss.exe\"" hui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\"" hui.exe -
Drops file in System32 directory 4 IoCs
Processes:
hui.exedescription ioc process File created C:\Windows\System32\NlsLexicons0007\csrss.exe hui.exe File created C:\Windows\System32\NlsLexicons0007\886983d96e3d3e31032c679b2d4ea91b6c05afef hui.exe File created C:\Windows\System32\D3DCompiler_47\conhost.exe hui.exe File created C:\Windows\System32\D3DCompiler_47\088424020bedd6b28ac7fd22ee35dcd7322895ce hui.exe -
Drops file in Program Files directory 2 IoCs
Processes:
hui.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC\OSPPSVC.exe hui.exe File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC\1610b97d3ab4a74cd8ae104b51bea7bfcc5b9c6f hui.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2264 schtasks.exe 1976 schtasks.exe 304 schtasks.exe 1528 schtasks.exe 3004 schtasks.exe 2852 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
hui.execsrss.exepid process 2572 hui.exe 2432 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
hui.execsrss.exedescription pid process Token: SeDebugPrivilege 2572 hui.exe Token: SeDebugPrivilege 2432 csrss.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exeWScript.execmd.exehui.exedescription pid process target process PID 1596 wrote to memory of 2748 1596 5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe WScript.exe PID 1596 wrote to memory of 2748 1596 5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe WScript.exe PID 1596 wrote to memory of 2748 1596 5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe WScript.exe PID 1596 wrote to memory of 2748 1596 5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe WScript.exe PID 2748 wrote to memory of 2708 2748 WScript.exe cmd.exe PID 2748 wrote to memory of 2708 2748 WScript.exe cmd.exe PID 2748 wrote to memory of 2708 2748 WScript.exe cmd.exe PID 2748 wrote to memory of 2708 2748 WScript.exe cmd.exe PID 2708 wrote to memory of 2572 2708 cmd.exe hui.exe PID 2708 wrote to memory of 2572 2708 cmd.exe hui.exe PID 2708 wrote to memory of 2572 2708 cmd.exe hui.exe PID 2708 wrote to memory of 2572 2708 cmd.exe hui.exe PID 2572 wrote to memory of 2432 2572 hui.exe csrss.exe PID 2572 wrote to memory of 2432 2572 hui.exe csrss.exe PID 2572 wrote to memory of 2432 2572 hui.exe csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\sN8j8UtUmLUEbzv.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Adobe\87tDm8T1lOvAjdSEmWMIMA3JTpcTMB.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Roaming\Adobe\hui.exe"C:\Users\Admin\AppData\Roaming\Adobe\hui.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\System32\NlsLexicons0007\csrss.exe"C:\Windows\System32\NlsLexicons0007\csrss.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hui" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Adobe\hui\hui.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons0007\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\D3DCompiler_47\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Documents and Settings\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25B
MD5e7f48aa75e0fb6a5ff062767274b118a
SHA135708e08c6fd4f4d5b90d205535eaf614f616947
SHA25675d94792b854edf88578815103ae48089e1cb0566c97c86bc3b3ecf5373778d7
SHA51285d827e4d81a7612ae78feda079f1a82812d7a430643db6bb3863c3cfe618649eb15b574c367d070c6fc594ebaf1c8ada66390279c703f7eb88e2c8b9a21adcb
-
Filesize
922KB
MD51b46dad7064609344351ac9efe3f9aab
SHA19aa8051f5ef6f800410ec669e52b415b6bf43816
SHA2563bd60f927e3882940077fa527712e5c55a2767564b39a932c4d4941e190a4c81
SHA512ce773799e73f0b61a793098df7a824346ec1d94d16877a272ace42a644d4fdf7d6a68b4a7c976b4b90471036f0d68b56bbfec18cffc68331c32970e7db7c57c4
-
Filesize
219B
MD570e5d6cdf95e6c8bd3cb92a5f27b41f1
SHA12139d28ec203b8e56a4d4b5f35cdc971711ee16b
SHA256ddbb5359838904c2276556b9e509443ffecba2ef2c15c97370f0a0df01a22a0d
SHA512b49e59956fe3b04980c2e9ba174da14239277b64c15a0d4cef2af1976bbaf9c7fec4a430afa1c1f56563a9f70b6d6339872be7dd847597a84b2a52730b399f3d