dcrat | 9464744616b18af752a573ee701b6cb66b5f6a9b4283c0979eafb9eed700ea9e

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28/10/2024, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79fbaeb0179ede82ef64517bb767cb22_JaffaCakes118.exe
Size

1.1MB
MD5

79fbaeb0179ede82ef64517bb767cb22
SHA1

4d7f8d7c5e7e068d12fd7825331fae47523a5669
SHA256

9464744616b18af752a573ee701b6cb66b5f6a9b4283c0979eafb9eed700ea9e
SHA512

32ec095bed57e0ae2f3b5a972894474ccf309f525420a19fba8cc5d80ffe0e855acf06909f9ff61423a930dc288c96fe9d6b4b3fd17e830a0bda621e8190a066
SSDEEP

12288:F2n8iaYegKbzRUM7iXmuOL9t5CdPQIWdBtgM+unGyloYhe/7ey+KrSpZdFY1UaQt:FkdaeOJte0GNYheyy+KSpZdFY1Ud

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0034000000016d42-5.dat	dcrat
behavioral1/memory/2144-7-0x0000000001110000-0x00000000011DE000-memory.dmp	dcrat
behavioral1/memory/2036-32-0x0000000000390000-0x000000000045E000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2144	FilesTempDirectory.exe
2036	WmiPrvSE.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\perfh011\taskhost.exe	FilesTempDirectory.exe
File created	C:\Windows\System32\perfh011\b75386f1303e64d8139363b71e44ac16341adf4e	FilesTempDirectory.exe
File created	C:\Windows\System32\hbaapi\lsm.exe	FilesTempDirectory.exe
File created	C:\Windows\System32\hbaapi\101b941d020240259ca4912829b53995ad543df6	FilesTempDirectory.exe
File created	C:\Windows\System32\wbem\OfflineFilesWmiProvider\WmiPrvSE.exe	FilesTempDirectory.exe
File created	C:\Windows\System32\wbem\OfflineFilesWmiProvider\24dbde2999530ef5fd907494bc374d663924116c	FilesTempDirectory.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\dllhost.exe	FilesTempDirectory.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\dllhost.exe	FilesTempDirectory.exe
File created	C:\Program Files (x86)\Windows Portable Devices\5940a34987c99120d96dace90a3f93f329dcad63	FilesTempDirectory.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
332	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
332	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1800	schtasks.exe
1308	schtasks.exe
2744	schtasks.exe
2700	schtasks.exe
2768	schtasks.exe
2748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2144	FilesTempDirectory.exe
2036	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	FilesTempDirectory.exe
Token: SeDebugPrivilege	2036	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2144	2488	79fbaeb0179ede82ef64517bb767cb22_JaffaCakes118.exe	30
PID 2488 wrote to memory of 2144	2488	79fbaeb0179ede82ef64517bb767cb22_JaffaCakes118.exe	30
PID 2488 wrote to memory of 2144	2488	79fbaeb0179ede82ef64517bb767cb22_JaffaCakes118.exe	30
PID 2144 wrote to memory of 2744	2144	FilesTempDirectory.exe	32
PID 2144 wrote to memory of 2744	2144	FilesTempDirectory.exe	32
PID 2144 wrote to memory of 2744	2144	FilesTempDirectory.exe	32
PID 2144 wrote to memory of 2700	2144	FilesTempDirectory.exe	34
PID 2144 wrote to memory of 2700	2144	FilesTempDirectory.exe	34
PID 2144 wrote to memory of 2700	2144	FilesTempDirectory.exe	34
PID 2144 wrote to memory of 2768	2144	FilesTempDirectory.exe	36
PID 2144 wrote to memory of 2768	2144	FilesTempDirectory.exe	36
PID 2144 wrote to memory of 2768	2144	FilesTempDirectory.exe	36
PID 2144 wrote to memory of 2748	2144	FilesTempDirectory.exe	38
PID 2144 wrote to memory of 2748	2144	FilesTempDirectory.exe	38
PID 2144 wrote to memory of 2748	2144	FilesTempDirectory.exe	38
PID 2144 wrote to memory of 1800	2144	FilesTempDirectory.exe	40
PID 2144 wrote to memory of 1800	2144	FilesTempDirectory.exe	40
PID 2144 wrote to memory of 1800	2144	FilesTempDirectory.exe	40
PID 2144 wrote to memory of 1308	2144	FilesTempDirectory.exe	42
PID 2144 wrote to memory of 1308	2144	FilesTempDirectory.exe	42
PID 2144 wrote to memory of 1308	2144	FilesTempDirectory.exe	42
PID 2144 wrote to memory of 2324	2144	FilesTempDirectory.exe	44
PID 2144 wrote to memory of 2324	2144	FilesTempDirectory.exe	44
PID 2144 wrote to memory of 2324	2144	FilesTempDirectory.exe	44
PID 2324 wrote to memory of 536	2324	cmd.exe	46
PID 2324 wrote to memory of 536	2324	cmd.exe	46
PID 2324 wrote to memory of 536	2324	cmd.exe	46
PID 2324 wrote to memory of 332	2324	cmd.exe	47
PID 2324 wrote to memory of 332	2324	cmd.exe	47
PID 2324 wrote to memory of 332	2324	cmd.exe	47
PID 2324 wrote to memory of 2036	2324	cmd.exe	48
PID 2324 wrote to memory of 2036	2324	cmd.exe	48
PID 2324 wrote to memory of 2036	2324	cmd.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\79fbaeb0179ede82ef64517bb767cb22_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79fbaeb0179ede82ef64517bb767cb22_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Roaming\FilesTempDirectory\FilesTempDirectory.exe
  "C:\Users\Admin\AppData\Roaming\FilesTempDirectory\FilesTempDirectory.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2744
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2700
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\hbaapi\lsm.exe'" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2768
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2748
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\OfflineFilesWmiProvider\WmiPrvSE.exe'" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1800
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\perfh011\taskhost.exe'" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1308
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Eo2MWc2VpW.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:536
  - - C:\Windows\system32\PING.EXE
      ping -n 5 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:332
  - - C:\Windows\System32\wbem\OfflineFilesWmiProvider\WmiPrvSE.exe
      "C:\Windows\System32\wbem\OfflineFilesWmiProvider\WmiPrvSE.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Eo2MWc2VpW.bat

Filesize
227B

MD5
4bd07c7d6b2f93d626ac0f96fbf8ecbf

SHA1
804509ee59d3a0f2a193287ea4eb8e16e787d380

SHA256
ae1279fe19ecf55f52c8c05025d5d86636f2cdcb225d69849ee6e6cf94185e16

SHA512
a98c2a70f805bacf27d78d1eaa30c95ed6b8697c6cfb58a3b2aabea831bea162500f4982f639385416539b7c992414621e9b3eafee64be13650a66fc3b07450c

Download Submit
C:\Users\Admin\AppData\Roaming\FilesTempDirectory\FilesTempDirectory.exe

Filesize
801KB

MD5
44994de5c6182968cdeb022deeb25536

SHA1
0f347814c45c30dd76becbf3acc3381a3af8a972

SHA256
f807a67ed9567fcd8003beb9c0e7064de1c0eff5c282ddc502084b3475db0e4a

SHA512
0f883b85fef9f5fd32ad9f9eb7003afc44542ca3bf5e19f8836e32f6b69ed77821ba04fcba77dfad90b13827a5bad7d129f033190bd54d5cf23b454b2e402d08

Download Submit
memory/2036-32-0x0000000000390000-0x000000000045E000-memory.dmp

Filesize
824KB

Download
memory/2144-8-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2144-7-0x0000000001110000-0x00000000011DE000-memory.dmp

Filesize
824KB

Download
memory/2144-10-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2144-28-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2488-0-0x000007FEF6173000-0x000007FEF6174000-memory.dmp

Filesize
4KB

Download
memory/2488-1-0x0000000000D30000-0x0000000000E48000-memory.dmp

Filesize
1.1MB

Download
memory/2488-2-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2488-9-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download