Overview

overview

10

Static

static

10

8dd4feb508...18.exe

windows7-x64

10

8dd4feb508...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2024 22:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8dd4feb508accc0825819ca3dbcd281a_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    8dd4feb508accc0825819ca3dbcd281a

  • SHA1

    9a4c6b4628f9a7f96f8f15b81d9bfee310f7397e

  • SHA256

    6a11f3f9aef2409809f0a94b6189adbac3adb24ca4e2f5e773fe27b3e1d46bfc

  • SHA512

    7de2311194e1123f7c6c3f1dcae2edd8ab464c5ff5f561e125bc9a646e965122384980618e91e7d1f4010dd81c5872310c8d2e9cacd4d69ec6208c3512f55732

  • SSDEEP

    24576:U2G/nvxW3Ww0t8jND8vbU7PDm1OaLUd/7TEEJ6+4/:UbA308V8zpKZTtS

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 9 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\8dd4feb508accc0825819ca3dbcd281a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8dd4feb508accc0825819ca3dbcd281a_JaffaCakes118.exe"
    1⤵
    • DcRat
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Driversvc\AhjG1SSiCzrRmq149Re8x56.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Driversvc\XdscX9Udcy.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Driversvc\DriversvcfontWin.exe
          "C:\Driversvc\DriversvcfontWin.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2968
          • C:\Driversvc\DriversvcfontWin.exe
            "C:\Driversvc\DriversvcfontWin.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2424
            • C:\ProgramData\Application Data\spoolsv.exe
              "C:\ProgramData\Application Data\spoolsv.exe"
              6⤵
              • Executes dropped EXE
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2876
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\msfeeds\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\services.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1652
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\MsPbdaCoInst\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1856
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\PerfLogs\Admin\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2400
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Driversvc\System.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2160
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\ProgramData\Application Data\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2300
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2792
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Documents and Settings\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Driversvc\AhjG1SSiCzrRmq149Re8x56.vbe
    Filesize

    196B

    MD5

    40042ea3910c101240fdb6e7c69e2a86

    SHA1

    98edbd6fb589e1e1f47d9d45e355bc0f081ce887

    SHA256

    4a4fb4a3a1f98493c6ae2fc235cc7ca0178f1249b41289dad58dd4b534f1beef

    SHA512

    dceba2792f91855dead8f2373930a02f50381cddf44ec955924ca3ce5c1a58abd8448da0f03f91ee9ede698aa4acdccf6ce634000430ddbc1608dc322db55de5

    Download Submit

  • C:\Driversvc\DriversvcfontWin.exe
    Filesize

    921KB

    MD5

    6a5f480d53b5dafb43d3bf62f33384bb

    SHA1

    b41ccb5eed4de277a45ddd38d81121d7712cc035

    SHA256

    c9b11504ef5296c23fe7970a800aace594215056bb3f0ab44bdd341b58f92c1f

    SHA512

    fba887de35d97cd9f8f30c9eb9e01362851b052913e43287c3d2c48b41eb94518ecd709a4593c54c9a090f395aedf1becaa322c9af10ada06f757604ad83b38c

    Download Submit

  • C:\Driversvc\XdscX9Udcy.bat
    Filesize

    35B

    MD5

    e6033eb3cc240c64ff76c46b7806f27b

    SHA1

    a5be4bb4378a3b20da162bfb758deb1154c25faf

    SHA256

    062fb81034841258ce878902f5bdfbfb00684b8e7162c9ebff2d7cf6f15cd77d

    SHA512

    6be31bb696d7882a051db97833ca2714a6478aa0b18dcf5030398ef3ca71170a0a880fa39af5b7026df277d67a1e6d906abf714b804a4b7aa047aecb2ead32bc

    Download Submit

  • memory/2876-37-0x0000000001080000-0x000000000116E000-memory.dmp

    Filesize

    952KB

    Download

  • memory/2968-13-0x00000000000D0000-0x00000000001BE000-memory.dmp

    Filesize

    952KB

    Download