Overview

overview

10

Static

static

10

8884881ff1...18.exe

windows7-x64

10

8884881ff1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2024 23:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8884881ff19c34d3974a042004249d5f_JaffaCakes118.exe

  • Size

    874KB

  • MD5

    8884881ff19c34d3974a042004249d5f

  • SHA1

    2c810189553a84340fefc4c69cc681a28bf51809

  • SHA256

    4e591ca9530450eca3c227d9292c3496d54d022c83d8b9c5372d91b97fed3203

  • SHA512

    3a5e666b683a85048ed88fc4b45078ae4e2f0bfd74724c77c9786bbb3af8dad5b6456b752b63028a2d2f50a330cb0a1e996503cdbfb9baa02b12ad4b93fadbf9

  • SSDEEP

    24576:J2G/nvxW3Whv6+OgbjAN2BJKC2XOIJiX+/OzB:JbA3gtLb/CC2eIkuK

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 8 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 7 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Drops file in System32 directory 8 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\8884881ff19c34d3974a042004249d5f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8884881ff19c34d3974a042004249d5f_JaffaCakes118.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\FontCrtMonitorDllSvc\vE7Wyr01RvAnAST1giMb.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3196
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\FontCrtMonitorDllSvc\gCY11fLh4bC7HvXSu1m.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1964
        • C:\FontCrtMonitorDllSvc\FontCrtMonitorDllSvcreviewNetsvc.exe
          "C:\FontCrtMonitorDllSvc\FontCrtMonitorDllSvcreviewNetsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3648
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GEeyxbCNCP.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:956
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:3756
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:1224
                • C:\Windows\System32\nsisvc\winlogon.exe
                  "C:\Windows\System32\nsisvc\winlogon.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2392
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\FontCrtMonitorDllSvc\services.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3168
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4048
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\resources\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4524
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\SCardSvr\lsass.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2820
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\SgrmEnclave_secure\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5116
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\nsisvc\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4472
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\bthpanapi\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1492

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\FontCrtMonitorDllSvc\FontCrtMonitorDllSvcreviewNetsvc.exe
        Filesize

        590KB

        MD5

        2c315119bccbfc01edcf25428f888343

        SHA1

        d9c0f6659ca70ac3d39b8072cfbfc96d7f00cfd0

        SHA256

        a9e0f4172119f9d033f93ab762b2675eb99584b1c3cf4c3de250a61c66af1617

        SHA512

        5d15bc84c1560141debad54bdf956015549e2d822fb5d9d2f5a9c36a0daa9df3f7a874084e2ad7797cbd54125eee9aa48ea61583830ba30089d05ad079e692e5

        Download Submit

      • C:\FontCrtMonitorDllSvc\gCY11fLh4bC7HvXSu1m.bat
        Filesize

        62B

        MD5

        ce0b278441796215b13a4914369db914

        SHA1

        af815b921fdc983b1036d1ddbd83db8645fe91ff

        SHA256

        b8d5c301795b7f706f695847716bef42036b9c054064fa5fc859949c4cf55a37

        SHA512

        a24a94fdee3f0022b9960fd0890df02bffe19336061cdfa2c7bfdbbc1fdf27c32cf5f0b6238731fc5a3c24ec87f234066d1517054e1576adf59b00daf7605ffe

        Download Submit

      • C:\FontCrtMonitorDllSvc\vE7Wyr01RvAnAST1giMb.vbe
        Filesize

        217B

        MD5

        30249dc0e717ec6b17f006ed1eb9221b

        SHA1

        43ed3498e441f2d3cfb17f234fc5de1c93161eef

        SHA256

        2b612666b8b0664e638d36d591713d8bf2a98fed60a02ffe236b65f1adfac0a9

        SHA512

        d6d9e5d55cab9d89a5b8f3e77e10e3da5d308fb510064e97f15076f4f3520fc5168c8f42177803c35475120eb9ab476c1ec8df02e24a172e07d6fec2ec42c10a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\GEeyxbCNCP.bat
        Filesize

        255B

        MD5

        cdbd067fdb4ac0ea64b764935c33d955

        SHA1

        783e14dc93eaa2533492b705b708f8beae7fda22

        SHA256

        3931657f7838a654b4c897722aac8d90a6bd57cc46a9ebab01bbefe90a3e5291

        SHA512

        9e35539f5b91742e7cf06f11db4548f72d447b915c167d1428f6df7c512ad9cbaddb10e6aa2b117865ebe2b6ef3cd0385ef4e9f84bbfcdd4682dfc928f004e0e

        Download Submit

      • memory/2392-41-0x00000000024E0000-0x00000000024E8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2392-37-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2392-39-0x0000000000B00000-0x0000000000B0A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2392-38-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2392-40-0x0000000000D20000-0x0000000000D28000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2392-42-0x00000000024F0000-0x00000000024F8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2392-43-0x0000000002500000-0x0000000002508000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2392-44-0x0000000002510000-0x0000000002518000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3648-13-0x0000000000630000-0x00000000006CA000-memory.dmp

        Filesize

        616KB

        Download

      • memory/3648-12-0x00007FFC52543000-0x00007FFC52545000-memory.dmp

        Filesize

        8KB

        Download