Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2024, 07:29
Behavioral task
behavioral1
Sample
c697f3001198246fe1a1d2494a0ff2ee_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c697f3001198246fe1a1d2494a0ff2ee_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
c697f3001198246fe1a1d2494a0ff2ee_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
c697f3001198246fe1a1d2494a0ff2ee
-
SHA1
0505a546298ff2a17d510387a1060ab3f44112e7
-
SHA256
250196616e509add44f0e1dec8e4e1b515ef52df9a6e3f569ee0fe7c80a13914
-
SHA512
24b7723c24a8687ad152dacad7b0ea52dc8500c1f6a727eb26d4f8015ef91f56d3e8d1cc5d3d0f11ac9101934ccb814d620f0806941f22c809dbad6dee4cb042
-
SSDEEP
24576:u2G/nvxW3WieCjbsHd2vNn2LRLpapqDTmRf9KrFnbkW9zdAZeSGhl6C+4Q:ubA3jnvNn2LIqH4S/g9GhwVt
Malware Config
Signatures
-
DcRat 5 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c697f3001198246fe1a1d2494a0ff2ee_JaffaCakes118.exe 3840 schtasks.exe 3056 schtasks.exe 3372 schtasks.exe 2588 schtasks.exe -
Dcrat family
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3840 5064 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 5064 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3372 5064 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 5064 schtasks.exe 86 -
resource yara_rule behavioral2/files/0x000a000000023b97-10.dat dcrat behavioral2/memory/4160-13-0x0000000000750000-0x000000000087A000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation c697f3001198246fe1a1d2494a0ff2ee_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation fontCrtmonitordhcpcommonsvc.exe -
Executes dropped EXE 2 IoCs
pid Process 4160 fontCrtmonitordhcpcommonsvc.exe 1468 Registry.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\oemlicense\\fontdrvhost.exe\"" fontCrtmonitordhcpcommonsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\RuntimeBroker.exe\"" fontCrtmonitordhcpcommonsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Mozilla Firefox\\defaults\\pref\\fontdrvhost.exe\"" fontCrtmonitordhcpcommonsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Documents and Settings\\Registry.exe\"" fontCrtmonitordhcpcommonsvc.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\oemlicense\fontdrvhost.exe fontCrtmonitordhcpcommonsvc.exe File created C:\Windows\System32\oemlicense\5b884080fd4f94e2695da25c503f9e33b9605b83 fontCrtmonitordhcpcommonsvc.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Mozilla Firefox\defaults\pref\fontdrvhost.exe fontCrtmonitordhcpcommonsvc.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\fontdrvhost.exe fontCrtmonitordhcpcommonsvc.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\5b884080fd4f94e2695da25c503f9e33b9605b83 fontCrtmonitordhcpcommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c697f3001198246fe1a1d2494a0ff2ee_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings c697f3001198246fe1a1d2494a0ff2ee_JaffaCakes118.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3956 reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3372 schtasks.exe 2588 schtasks.exe 3840 schtasks.exe 3056 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4160 fontCrtmonitordhcpcommonsvc.exe 1468 Registry.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4160 fontCrtmonitordhcpcommonsvc.exe Token: SeDebugPrivilege 1468 Registry.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3692 wrote to memory of 2216 3692 c697f3001198246fe1a1d2494a0ff2ee_JaffaCakes118.exe 82 PID 3692 wrote to memory of 2216 3692 c697f3001198246fe1a1d2494a0ff2ee_JaffaCakes118.exe 82 PID 3692 wrote to memory of 2216 3692 c697f3001198246fe1a1d2494a0ff2ee_JaffaCakes118.exe 82 PID 2216 wrote to memory of 3848 2216 WScript.exe 83 PID 2216 wrote to memory of 3848 2216 WScript.exe 83 PID 2216 wrote to memory of 3848 2216 WScript.exe 83 PID 3848 wrote to memory of 4160 3848 cmd.exe 85 PID 3848 wrote to memory of 4160 3848 cmd.exe 85 PID 4160 wrote to memory of 1468 4160 fontCrtmonitordhcpcommonsvc.exe 91 PID 4160 wrote to memory of 1468 4160 fontCrtmonitordhcpcommonsvc.exe 91 PID 3848 wrote to memory of 3956 3848 cmd.exe 92 PID 3848 wrote to memory of 3956 3848 cmd.exe 92 PID 3848 wrote to memory of 3956 3848 cmd.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c697f3001198246fe1a1d2494a0ff2ee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c697f3001198246fe1a1d2494a0ff2ee_JaffaCakes118.exe"1⤵
- DcRat
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\fontCrtmonitor\nA8GErCea25MZivjqg2s92X.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\fontCrtmonitor\l0noRYfNtuMwZAdFzsP7Iup4EtFybJ.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\fontCrtmonitor\fontCrtmonitordhcpcommonsvc.exe"C:\fontCrtmonitor\fontCrtmonitordhcpcommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Documents and Settings\Registry.exe"C:\Documents and Settings\Registry.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3956
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Documents and Settings\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\oemlicense\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD528886e53db2a45715e41eae56995d6f1
SHA1bc4e39e76862b679008cf09d5f1dfb699f3c2221
SHA2563016236a2f8762247bcfc3155c3dea0f7e95dd4a169d992f8b513ceb854b3fd6
SHA512ee054887be745a247f9686552b685859a0f4bf5d1596242796a6ae4e8a34797f98fb3334ef04d59d4d8e2bab90292861d305984f90b161206efbf358c4bbc10f
-
Filesize
163B
MD51cf2705e98452a852a6de7b249a90c87
SHA1a471792f55ade29290eec36a725b1220e15146ba
SHA2568bafb2cdfc3b8cf0118bd973185e077ba2626b37a2f64c9c79e5a7bf2073bc18
SHA512115813a1766dcbdfc6e690e2f242a0e0ea7d8e801e115e64fc51145c4f56aa12d06a2cb431f74851e0182299ada3de615c2fc64462aecb2ba998cbd2775e2a01
-
Filesize
221B
MD56ffd9e92b08389f74f46cbfa8aaabddf
SHA18c941128ea70205935f21ddc70b8246d1787675c
SHA2561ea84b3dbb654661f188f40ee3ca42d977bc1dab091fc1232a2ce012f368d62e
SHA5127a384774985905b82964a5f61e12f2d4780d15bbc2b847a987e833c69569fc443e850c2f41e5e89f2bf3bfe2c8de8ad8ed4001b431f975a8755ebd3b83adda79