dcrat | 1fa9bed9d75dc028cbd7981fa4152a58a5762deb1a9b67a1d7ea9b8f3fbaf2a3

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2024, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe
Size

1.1MB
MD5

bb118ab611fb84b954cca29f66fc1c0e
SHA1

1ea056e2024147528dbf46096a0de9faf07f66cb
SHA256

1fa9bed9d75dc028cbd7981fa4152a58a5762deb1a9b67a1d7ea9b8f3fbaf2a3
SHA512

b1262aa2bb9439ad697966bf4408e34d7ab98280313a68627a7df9c202f839b17f4e3868ff7a03e8ea76592d5757f6b1a57344852f5f6cb5d8ea5963a4fff514
SSDEEP

12288:vl8teodM4fNDVbUs2yxeNdnSM7JrPjwIbSHPLo+DwgYJqwhSw42FhIbIGKxnqGi6:9SMpj92vU1gYJq4seqG9vjiTrsb

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3588-11-0x0000000000400000-0x000000000046E000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
1040	services.exe
3608	services.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1500 set thread context of 3588	1500	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	99
PID 1040 set thread context of 3608	1040	services.exe	113

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\MoUsoCoreWorker.exe	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\1f93f77a7f4778895ba35b416f8db5fd86e3102e	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe
File created	C:\Program Files\ModifiableWindowsApps\winlogon.exe	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe
File created	C:\Program Files\Common Files\System\en-US\SppExtComObj.exe	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe
File created	C:\Program Files\Common Files\System\en-US\e1ef82546f0b02b7e974f28047f3788b1128cce1	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\winlogon.exe	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ablenetworkgraphics_31bf3856ad364e35_11.0.19041.746_none_0f77cde89bad509d\f\dwm.exe	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1944	schtasks.exe
2236	schtasks.exe
2008	schtasks.exe
536	schtasks.exe
2524	schtasks.exe
4060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe
3608	services.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe
Token: SeDebugPrivilege	3608	services.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 3588	1500	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	99
PID 1500 wrote to memory of 3588	1500	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	99
PID 1500 wrote to memory of 3588	1500	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	99
PID 1500 wrote to memory of 3588	1500	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	99
PID 1500 wrote to memory of 3588	1500	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	99
PID 1500 wrote to memory of 3588	1500	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	99
PID 1500 wrote to memory of 3588	1500	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	99
PID 1500 wrote to memory of 3588	1500	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	99
PID 1500 wrote to memory of 3588	1500	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	99
PID 3588 wrote to memory of 536	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	100
PID 3588 wrote to memory of 536	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	100
PID 3588 wrote to memory of 536	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	100
PID 3588 wrote to memory of 2524	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	102
PID 3588 wrote to memory of 2524	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	102
PID 3588 wrote to memory of 2524	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	102
PID 3588 wrote to memory of 4060	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	104
PID 3588 wrote to memory of 4060	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	104
PID 3588 wrote to memory of 4060	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	104
PID 3588 wrote to memory of 1944	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	106
PID 3588 wrote to memory of 1944	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	106
PID 3588 wrote to memory of 1944	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	106
PID 3588 wrote to memory of 2236	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	108
PID 3588 wrote to memory of 2236	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	108
PID 3588 wrote to memory of 2236	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	108
PID 3588 wrote to memory of 2008	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	110
PID 3588 wrote to memory of 2008	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	110
PID 3588 wrote to memory of 2008	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	110
PID 3588 wrote to memory of 1040	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	112
PID 3588 wrote to memory of 1040	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	112
PID 3588 wrote to memory of 1040	3588	bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe	112
PID 1040 wrote to memory of 3608	1040	services.exe	113
PID 1040 wrote to memory of 3608	1040	services.exe	113
PID 1040 wrote to memory of 3608	1040	services.exe	113
PID 1040 wrote to memory of 3608	1040	services.exe	113
PID 1040 wrote to memory of 3608	1040	services.exe	113
PID 1040 wrote to memory of 3608	1040	services.exe	113
PID 1040 wrote to memory of 3608	1040	services.exe	113
PID 1040 wrote to memory of 3608	1040	services.exe	113
PID 1040 wrote to memory of 3608	1040	services.exe	113

C:\Users\Admin\AppData\Local\Temp\bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe
  "{path}"
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\PerfLogs\RuntimeBroker.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:536
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\en-US\SppExtComObj.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2524
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\PerfLogs\spoolsv.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4060
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\MoUsoCoreWorker.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1944
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Registry" /sc ONLOGON /tr "'C:\Documents and Settings\Registry.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2236
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\PerfLogs\services.exe'" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2008
- - C:\PerfLogs\services.exe
    "C:\PerfLogs\services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\PerfLogs\services.exe
      "{path}"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bb118ab611fb84b954cca29f66fc1c0e_JaffaCakes118.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Registry.exe

Filesize
1.1MB

MD5
bb118ab611fb84b954cca29f66fc1c0e

SHA1
1ea056e2024147528dbf46096a0de9faf07f66cb

SHA256
1fa9bed9d75dc028cbd7981fa4152a58a5762deb1a9b67a1d7ea9b8f3fbaf2a3

SHA512
b1262aa2bb9439ad697966bf4408e34d7ab98280313a68627a7df9c202f839b17f4e3868ff7a03e8ea76592d5757f6b1a57344852f5f6cb5d8ea5963a4fff514

Download Submit
memory/1040-36-0x0000000005B70000-0x0000000005B82000-memory.dmp

Filesize
72KB

Download
memory/1500-10-0x0000000006C40000-0x0000000006CD4000-memory.dmp

Filesize
592KB

Download
memory/1500-3-0x00000000053B0000-0x0000000005442000-memory.dmp

Filesize
584KB

Download
memory/1500-5-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/1500-6-0x0000000006880000-0x000000000691C000-memory.dmp

Filesize
624KB

Download
memory/1500-7-0x0000000005520000-0x0000000005532000-memory.dmp

Filesize
72KB

Download
memory/1500-8-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/1500-9-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/1500-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/1500-1-0x00000000008B0000-0x00000000009C8000-memory.dmp

Filesize
1.1MB

Download
memory/1500-4-0x0000000005380000-0x000000000538A000-memory.dmp

Filesize
40KB

Download
memory/1500-14-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/1500-2-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/3588-13-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/3588-21-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/3588-22-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/3588-16-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/3588-15-0x0000000004E80000-0x0000000004EE6000-memory.dmp

Filesize
408KB

Download
memory/3588-35-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/3588-11-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download