Overview

overview

10

Static

static

10

cd0474c2a3...18.exe

windows7-x64

10

cd0474c2a3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 12:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd0474c2a3a8a662b9ec1cda81ef072e_JaffaCakes118.exe

  • Size

    1.7MB

  • MD5

    cd0474c2a3a8a662b9ec1cda81ef072e

  • SHA1

    e1bc9504cbf0f6b96ba50f5a14b34d4f9466480d

  • SHA256

    6fa4e7b5a0f66ca0eb75634dbcc3a75a33e126d4f62fd76285a016d5df61b785

  • SHA512

    fc8d7fa6216f85924f5eaa7252c3bb720bab4d48d86a11f10d236190debd3b2f773188039250d378b1ab6c32ac4f053fba6b3a632ef6ef26d3345b1cd4055215

  • SSDEEP

    24576:u2G/nvxW3WieCIjEHTG4BWus6NpkRqqdY/kxqlQOczM9xDEw5PWGBcXkaH+kO+49:ubA3jI2BWuzpkRLOsGEwRnB8k4hJ2

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 8 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 7 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd0474c2a3a8a662b9ec1cda81ef072e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cd0474c2a3a8a662b9ec1cda81ef072e_JaffaCakes118.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Monitordhcp\Xii1UKV1Nw42l78hpaWebp.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Monitordhcp\WILvUYc.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4952
        • C:\Monitordhcp\Monitordhcphostperfdhcp.exe
          "C:\Monitordhcp\Monitordhcphostperfdhcp.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:224
          • C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe
            "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\pnputil\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1724
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Monitordhcp\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:184
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\My Documents\dwm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4108
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2512
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\setbcdlocale\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4980
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\MTFAppServiceDS\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:5032
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\SettingsHandlers_BrowserDeclutter\sihost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Monitordhcp\Monitordhcphostperfdhcp.exe
    Filesize

    1.4MB

    MD5

    bab98c6765f79dd78332ba9b92ad2630

    SHA1

    580ad3d2c8a509cf43ab389f1a44792f0dfdcd7c

    SHA256

    3e20d986b660e1018c9be00e17d85cc30b3c529f8735c0f4f4cc1703ceff2900

    SHA512

    59e35282900c1aca24923debaf0631fa4b13a909473d8a1bed96a3607ae7ee9300e5b29dbb413765745206eae3eb22927f7cf84d33230b366ceaa0eeee9221e0

    Download Submit

  • C:\Monitordhcp\WILvUYc.bat
    Filesize

    44B

    MD5

    c5838fd73ba1243779f5a195b5e74ff5

    SHA1

    51e2f59f37443bab38b199a00e7b1f2e78dea634

    SHA256

    df18d41718439a01b6c48ea662f62f941c846a1b48b8913c56182f0aab406f14

    SHA512

    fbe20cfd402051725e583f2406f5a4ed498f1f7cf3a757f1cc91ec6b2aa23e9ff40e36b6d25ad0ec2c8ed3e575d8b55c8c387fa7fd2fb0caea0c64f0ee227e6c

    Download Submit

  • C:\Monitordhcp\Xii1UKV1Nw42l78hpaWebp.vbe
    Filesize

    195B

    MD5

    f22aec4e46c427cce063968c286274ad

    SHA1

    4d66c5413b6961efb244d720b44d6f3810554032

    SHA256

    385d7fef54298f6819f6fc80b1f98da3a11ddf8db6c354e3c949e05853abe56b

    SHA512

    ecaa1801a079db791e9b70d700ff095438ed3a76a597da6577d91ff6f0347291d2a76276ba86b74e77a51e34e59b56dbcbdf67c1370d0c35324c17d3bf88eebf

    Download Submit

  • memory/224-12-0x00007FFEBC563000-0x00007FFEBC565000-memory.dmp

    Filesize

    8KB

    Download

  • memory/224-13-0x00000000006E0000-0x0000000000842000-memory.dmp

    Filesize

    1.4MB

    Download