Overview

overview

10

Static

static

10

cd0474c2a3...18.exe

windows7-x64

10

cd0474c2a3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2024 12:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd0474c2a3a8a662b9ec1cda81ef072e_JaffaCakes118.exe

  • Size

    1.7MB

  • MD5

    cd0474c2a3a8a662b9ec1cda81ef072e

  • SHA1

    e1bc9504cbf0f6b96ba50f5a14b34d4f9466480d

  • SHA256

    6fa4e7b5a0f66ca0eb75634dbcc3a75a33e126d4f62fd76285a016d5df61b785

  • SHA512

    fc8d7fa6216f85924f5eaa7252c3bb720bab4d48d86a11f10d236190debd3b2f773188039250d378b1ab6c32ac4f053fba6b3a632ef6ef26d3345b1cd4055215

  • SSDEEP

    24576:u2G/nvxW3WieCIjEHTG4BWus6NpkRqqdY/kxqlQOczM9xDEw5PWGBcXkaH+kO+49:ubA3jI2BWuzpkRLOsGEwRnB8k4hJ2

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 9 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Drops file in System32 directory 7 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd0474c2a3a8a662b9ec1cda81ef072e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cd0474c2a3a8a662b9ec1cda81ef072e_JaffaCakes118.exe"
    1⤵
    • DcRat
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Monitordhcp\Xii1UKV1Nw42l78hpaWebp.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Monitordhcp\WILvUYc.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2056
        • C:\Monitordhcp\Monitordhcphostperfdhcp.exe
          "C:\Monitordhcp\Monitordhcphostperfdhcp.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2744
          • C:\Monitordhcp\Monitordhcphostperfdhcp.exe
            "C:\Monitordhcp\Monitordhcphostperfdhcp.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2824
            • C:\Monitordhcp\WILvUYc\dllhost.exe
              "C:\Monitordhcp\WILvUYc\dllhost.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1236
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\System32\wbem\KrnlProv\WMIADAP.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2852
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\provthrd\conhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2908
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Monitordhcphostperfdhcp" /sc ONLOGON /tr "'C:\Monitordhcp\WILvUYc\Monitordhcphostperfdhcp.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3012
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Monitordhcp\WILvUYc\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2736
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1400
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\System32\wbem\WMIsvc\WMIADAP.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1484
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:860
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\PerfLogs\Admin\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Monitordhcp\WILvUYc.bat
    Filesize

    44B

    MD5

    c5838fd73ba1243779f5a195b5e74ff5

    SHA1

    51e2f59f37443bab38b199a00e7b1f2e78dea634

    SHA256

    df18d41718439a01b6c48ea662f62f941c846a1b48b8913c56182f0aab406f14

    SHA512

    fbe20cfd402051725e583f2406f5a4ed498f1f7cf3a757f1cc91ec6b2aa23e9ff40e36b6d25ad0ec2c8ed3e575d8b55c8c387fa7fd2fb0caea0c64f0ee227e6c

    Download Submit

  • C:\Monitordhcp\Xii1UKV1Nw42l78hpaWebp.vbe
    Filesize

    195B

    MD5

    f22aec4e46c427cce063968c286274ad

    SHA1

    4d66c5413b6961efb244d720b44d6f3810554032

    SHA256

    385d7fef54298f6819f6fc80b1f98da3a11ddf8db6c354e3c949e05853abe56b

    SHA512

    ecaa1801a079db791e9b70d700ff095438ed3a76a597da6577d91ff6f0347291d2a76276ba86b74e77a51e34e59b56dbcbdf67c1370d0c35324c17d3bf88eebf

    Download Submit

  • \Monitordhcp\Monitordhcphostperfdhcp.exe
    Filesize

    1.4MB

    MD5

    bab98c6765f79dd78332ba9b92ad2630

    SHA1

    580ad3d2c8a509cf43ab389f1a44792f0dfdcd7c

    SHA256

    3e20d986b660e1018c9be00e17d85cc30b3c529f8735c0f4f4cc1703ceff2900

    SHA512

    59e35282900c1aca24923debaf0631fa4b13a909473d8a1bed96a3607ae7ee9300e5b29dbb413765745206eae3eb22927f7cf84d33230b366ceaa0eeee9221e0

    Download Submit

  • memory/1236-37-0x0000000000FE0000-0x0000000001142000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2744-13-0x0000000000F60000-0x00000000010C2000-memory.dmp

    Filesize

    1.4MB

    Download