dcrat | 22d63d9860fa09c5f5c6a6900aee81a8f0bdaf0647892d300d949c7116ebc354

General

Target

c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe
Size

1.1MB
MD5

c76615b8f581aaaf477d84be98e8ea7c
SHA1

b5c19a63af315762dee75232fc29862255ef87a9
SHA256

22d63d9860fa09c5f5c6a6900aee81a8f0bdaf0647892d300d949c7116ebc354
SHA512

2d159441ca886fbb35e1a1c6acb6203c5efe4944759d87e157f7507967eb1b1f0a0fb14fd27c280f45c1a715212aa7c5fc9e87606ec9420efbf5b3510a92dc2c
SSDEEP

24576:foVOdgE22Jlx52AdzNYBO7X6zOTYqVJ7dmnhRVxOWF0+4:1gqx5rgO790e8Dn

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	1624	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	1624	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	1624	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	1624	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	1624	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	1624	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1624	schtasks.exe	29

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2524-1-0x0000000000B60000-0x0000000000C78000-memory.dmp	dcrat
behavioral1/files/0x000500000001a46f-11.dat	dcrat
behavioral1/memory/2104-25-0x00000000000D0000-0x00000000001E8000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2104	lsass.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\tapisrv\\lsm.exe\""	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\it\\OSPPSVC.exe\""	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS\\OSPPSVC.exe\""	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\WLanHC\\lsass.exe\""	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\DFDWiz\\lsass.exe\""	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\bootres\\csrss.exe\""	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\spoolsv.exe\""	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\tapisrv\lsm.exe	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\tapisrv\lsm.exe	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe
File created	C:\Windows\System32\WLanHC\lsass.exe	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe
File created	C:\Windows\System32\DFDWiz\lsass.exe	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe
File created	C:\Windows\System32\DFDWiz\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe
File created	C:\Windows\System32\bootres\csrss.exe	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe
File created	C:\Windows\System32\bootres\886983d96e3d3e31032c679b2d4ea91b6c05afef	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe
File created	C:\Windows\System32\tapisrv\101b941d020240259ca4912829b53995ad543df6	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe
File created	C:\Windows\System32\WLanHC\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS\1610b97d3ab4a74cd8ae104b51bea7bfcc5b9c6f	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\OSPPSVC.exe	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\1610b97d3ab4a74cd8ae104b51bea7bfcc5b9c6f	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS\OSPPSVC.exe	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2704	schtasks.exe
2840	schtasks.exe
2800	schtasks.exe
2600	schtasks.exe
2708	schtasks.exe
2812	schtasks.exe
2740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2524	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe
2104	lsass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe
Token: SeDebugPrivilege	2104	lsass.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2052	2524	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe	37
PID 2524 wrote to memory of 2052	2524	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe	37
PID 2524 wrote to memory of 2052	2524	c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe	37
PID 2052 wrote to memory of 1064	2052	cmd.exe	39
PID 2052 wrote to memory of 1064	2052	cmd.exe	39
PID 2052 wrote to memory of 1064	2052	cmd.exe	39
PID 2052 wrote to memory of 1040	2052	cmd.exe	40
PID 2052 wrote to memory of 1040	2052	cmd.exe	40
PID 2052 wrote to memory of 1040	2052	cmd.exe	40
PID 2052 wrote to memory of 2104	2052	cmd.exe	41
PID 2052 wrote to memory of 2104	2052	cmd.exe	41
PID 2052 wrote to memory of 2104	2052	cmd.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c76615b8f581aaaf477d84be98e8ea7c_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rfy3LSiZTt.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1064
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1040
- - C:\Windows\System32\WLanHC\lsass.exe
    "C:\Windows\System32\WLanHC\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\tapisrv\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\WLanHC\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\DFDWiz\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\bootres\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rfy3LSiZTt.bat

Filesize
252B

MD5
21e1e6a6db79730542295ac015397dbd

SHA1
b2a89e1a38ff3155058f0faafdbf7a33a919cfff

SHA256
b380c7d7fd84dc38cd062d32d08a97c45f92c462b1518a398de212c3808202ea

SHA512
579d1ce7bf318eb6047f0a0480e8f2bae44b19b2129d2d05ed7dac2def3b71f31cb0923cfc483e346a34164eff6425344a767270a8757bbf76444d3efb10f0ef

Download Submit
C:\Windows\System32\DFDWiz\lsass.exe

Filesize
1.1MB

MD5
c76615b8f581aaaf477d84be98e8ea7c

SHA1
b5c19a63af315762dee75232fc29862255ef87a9

SHA256
22d63d9860fa09c5f5c6a6900aee81a8f0bdaf0647892d300d949c7116ebc354

SHA512
2d159441ca886fbb35e1a1c6acb6203c5efe4944759d87e157f7507967eb1b1f0a0fb14fd27c280f45c1a715212aa7c5fc9e87606ec9420efbf5b3510a92dc2c

Download Submit
memory/2104-25-0x00000000000D0000-0x00000000001E8000-memory.dmp

Filesize
1.1MB

Download
memory/2524-0-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

Filesize
4KB

Download
memory/2524-1-0x0000000000B60000-0x0000000000C78000-memory.dmp

Filesize
1.1MB

Download
memory/2524-2-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/2524-22-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads