General
-
Target
8dd4feb508accc0825819ca3dbcd281a_JaffaCakes118
-
Size
1.2MB
-
Sample
241103-2j5lbsvrbs
-
MD5
8dd4feb508accc0825819ca3dbcd281a
-
SHA1
9a4c6b4628f9a7f96f8f15b81d9bfee310f7397e
-
SHA256
6a11f3f9aef2409809f0a94b6189adbac3adb24ca4e2f5e773fe27b3e1d46bfc
-
SHA512
7de2311194e1123f7c6c3f1dcae2edd8ab464c5ff5f561e125bc9a646e965122384980618e91e7d1f4010dd81c5872310c8d2e9cacd4d69ec6208c3512f55732
-
SSDEEP
24576:U2G/nvxW3Ww0t8jND8vbU7PDm1OaLUd/7TEEJ6+4/:UbA308V8zpKZTtS
Behavioral task
behavioral1
Sample
8dd4feb508accc0825819ca3dbcd281a_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
8dd4feb508accc0825819ca3dbcd281a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
8dd4feb508accc0825819ca3dbcd281a_JaffaCakes118
-
Size
1.2MB
-
MD5
8dd4feb508accc0825819ca3dbcd281a
-
SHA1
9a4c6b4628f9a7f96f8f15b81d9bfee310f7397e
-
SHA256
6a11f3f9aef2409809f0a94b6189adbac3adb24ca4e2f5e773fe27b3e1d46bfc
-
SHA512
7de2311194e1123f7c6c3f1dcae2edd8ab464c5ff5f561e125bc9a646e965122384980618e91e7d1f4010dd81c5872310c8d2e9cacd4d69ec6208c3512f55732
-
SSDEEP
24576:U2G/nvxW3Ww0t8jND8vbU7PDm1OaLUd/7TEEJ6+4/:UbA308V8zpKZTtS
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1