dcrat | 9d1cda19a05364d02903a407a68a85313dff6bf47a4f3b42e62d125a8bfae4b8

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe
Size

768KB
MD5

adf5cb2ba4e13eba254adea54ee6855d
SHA1

00759c66c70ead273372cc31964f493105539704
SHA256

9d1cda19a05364d02903a407a68a85313dff6bf47a4f3b42e62d125a8bfae4b8
SHA512

c74b19c3be4bda23deb28ce880bf63751a2baa9cc8f15096187dab4c7a2bb2c01960b3e8baba364f076501fc6b9952932ccb4773d22c0ec4cd03fca54fd08ff7
SSDEEP

12288:QqnO6RZ6I3yp4AcLuLPoRTsJhHZt+Uj8f+ZVFpuolCcVArWU:Q+O6zi4hL0oRAzgEFpl

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1656-1-0x0000000001380000-0x0000000001446000-memory.dmp	dcrat
behavioral1/files/0x0005000000019377-11.dat	dcrat
behavioral1/memory/2520-25-0x0000000000E90000-0x0000000000F56000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

taskhost.exe

pid	Process
2520	taskhost.exe

Drops file in System32 directory 7 IoCs

Processes:

adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\System32\icardres\csrss.exe	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\icardres\csrss.exe	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe
File created	C:\Windows\System32\icardres\886983d96e3d3e31032c679b2d4ea91b6c05afef	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe
File created	C:\Windows\System32\rsop\lsass.exe	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe
File created	C:\Windows\System32\rsop\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe
File created	C:\Windows\System32\wbem\wbemdisp\WmiPrvSE.exe	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe
File created	C:\Windows\System32\wbem\wbemdisp\24dbde2999530ef5fd907494bc374d663924116c	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

Processes:

adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\101b941d020240259ca4912829b53995ad543df6	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
2544	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2544	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
804	schtasks.exe
2436	schtasks.exe
2000	schtasks.exe
2668	schtasks.exe
2792	schtasks.exe
2316	schtasks.exe
2672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exetaskhost.exe

pid	Process
1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe
1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe
1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe
2520	taskhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exetaskhost.exe

description	pid	Process
Token: SeDebugPrivilege	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe
Token: SeDebugPrivilege	2520	taskhost.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.execmd.exe

description	pid	Process	procid_target
PID 1656 wrote to memory of 804	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	29
PID 1656 wrote to memory of 804	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	29
PID 1656 wrote to memory of 804	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	29
PID 1656 wrote to memory of 2436	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	31
PID 1656 wrote to memory of 2436	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	31
PID 1656 wrote to memory of 2436	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	31
PID 1656 wrote to memory of 2000	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	33
PID 1656 wrote to memory of 2000	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	33
PID 1656 wrote to memory of 2000	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	33
PID 1656 wrote to memory of 2668	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	35
PID 1656 wrote to memory of 2668	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	35
PID 1656 wrote to memory of 2668	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	35
PID 1656 wrote to memory of 2792	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	37
PID 1656 wrote to memory of 2792	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	37
PID 1656 wrote to memory of 2792	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	37
PID 1656 wrote to memory of 2316	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	39
PID 1656 wrote to memory of 2316	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	39
PID 1656 wrote to memory of 2316	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	39
PID 1656 wrote to memory of 2672	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	41
PID 1656 wrote to memory of 2672	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	41
PID 1656 wrote to memory of 2672	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	41
PID 1656 wrote to memory of 2640	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	43
PID 1656 wrote to memory of 2640	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	43
PID 1656 wrote to memory of 2640	1656	adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe	43
PID 2640 wrote to memory of 2740	2640	cmd.exe	45
PID 2640 wrote to memory of 2740	2640	cmd.exe	45
PID 2640 wrote to memory of 2740	2640	cmd.exe	45
PID 2640 wrote to memory of 2544	2640	cmd.exe	46
PID 2640 wrote to memory of 2544	2640	cmd.exe	46
PID 2640 wrote to memory of 2544	2640	cmd.exe	46
PID 2640 wrote to memory of 2520	2640	cmd.exe	47
PID 2640 wrote to memory of 2520	2640	cmd.exe	47
PID 2640 wrote to memory of 2520	2640	cmd.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\adf5cb2ba4e13eba254adea54ee6855d_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\icardres\csrss.exe'" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:804
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Documents and Settings\sppsvc.exe'" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2436
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\lsm.exe'" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2000
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Adobe\csrss.exe'" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2668
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\rsop\lsass.exe'" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2792
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\taskhost.exe'" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2316
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\wbemdisp\WmiPrvSE.exe'" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7fdtU024rn.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2740
- - C:\Windows\system32\PING.EXE
    ping -n 5 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2544
- - C:\ProgramData\Start Menu\taskhost.exe
    "C:\ProgramData\Start Menu\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7fdtU024rn.bat

Filesize
204B

MD5
c6c7a5ff6e084ba4bf8da56e4774e1fc

SHA1
efba85d136990dbebe7b9bf3341b1546fbdad575

SHA256
38831c48b16ec7e4c544db94108fd621bab02dd6bb8edf7f9efc1d0924c1fda5

SHA512
5ea96fa543ca48864447d7abded45bdea862ccc441fec349232909d10618cb3af01abfd12a8792092c71ccea9a09b91a0aa642aee6d9c0f9cd5637f12f7c54da

Download Submit
C:\Windows\System32\rsop\lsass.exe

Filesize
768KB

MD5
adf5cb2ba4e13eba254adea54ee6855d

SHA1
00759c66c70ead273372cc31964f493105539704

SHA256
9d1cda19a05364d02903a407a68a85313dff6bf47a4f3b42e62d125a8bfae4b8

SHA512
c74b19c3be4bda23deb28ce880bf63751a2baa9cc8f15096187dab4c7a2bb2c01960b3e8baba364f076501fc6b9952932ccb4773d22c0ec4cd03fca54fd08ff7

Download Submit
memory/1656-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/1656-1-0x0000000001380000-0x0000000001446000-memory.dmp

Filesize
792KB

Download
memory/1656-2-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/1656-21-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/2520-25-0x0000000000E90000-0x0000000000F56000-memory.dmp

Filesize
792KB

Download