General

  • Target

    8dd4feb508accc0825819ca3dbcd281a_JaffaCakes118

  • Size

    1.2MB

  • Sample

    241103-2j5lbsvrbs

  • MD5

    8dd4feb508accc0825819ca3dbcd281a

  • SHA1

    9a4c6b4628f9a7f96f8f15b81d9bfee310f7397e

  • SHA256

    6a11f3f9aef2409809f0a94b6189adbac3adb24ca4e2f5e773fe27b3e1d46bfc

  • SHA512

    7de2311194e1123f7c6c3f1dcae2edd8ab464c5ff5f561e125bc9a646e965122384980618e91e7d1f4010dd81c5872310c8d2e9cacd4d69ec6208c3512f55732

  • SSDEEP

    24576:U2G/nvxW3Ww0t8jND8vbU7PDm1OaLUd/7TEEJ6+4/:UbA308V8zpKZTtS

Malware Config

Targets

    • Target

      8dd4feb508accc0825819ca3dbcd281a_JaffaCakes118

    • Size

      1.2MB

    • MD5

      8dd4feb508accc0825819ca3dbcd281a

    • SHA1

      9a4c6b4628f9a7f96f8f15b81d9bfee310f7397e

    • SHA256

      6a11f3f9aef2409809f0a94b6189adbac3adb24ca4e2f5e773fe27b3e1d46bfc

    • SHA512

      7de2311194e1123f7c6c3f1dcae2edd8ab464c5ff5f561e125bc9a646e965122384980618e91e7d1f4010dd81c5872310c8d2e9cacd4d69ec6208c3512f55732

    • SSDEEP

      24576:U2G/nvxW3Ww0t8jND8vbU7PDm1OaLUd/7TEEJ6+4/:UbA308V8zpKZTtS

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks