Overview

overview

10

Static

static

3

d19220e738...18.exe

windows7-x64

10

d19220e738...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d19220e738ca3bae030183e83544aebc_JaffaCakes118

  • Size

    2.3MB

  • Sample

    241207-kpk1fa1jdj

  • MD5

    d19220e738ca3bae030183e83544aebc

  • SHA1

    8f6b9a18e180ec012be9d12ddf8c2ab79e1fe990

  • SHA256

    6956fe608e1cbcac4888a11b3a9815451289a38bb3fdb82c29f8f8ad593b209d

  • SHA512

    c493831b0baf1f5d96921ec21ddef85b0e9e45e6ef7ebb5f82fc8da081d3fa6ee6d9fd3efec47be603ff3ae474f9fdabbff1ae530155e715eab588c09f46e980

  • SSDEEP

    49152:PWkv2p8AKHzTc8b6ZgeZ50xGktV/Cg1beUU++JKpqmPfgwvc+XXgGALr28:n2pJ2zIjZg0NkLqk+XSfdvzXXGG8

Score
10/10
dcratdiscoveryevasioninfostealerpersistencerat

Malware Config

Targets

    • Target

      d19220e738ca3bae030183e83544aebc_JaffaCakes118

    • Size

      2.3MB

    • MD5

      d19220e738ca3bae030183e83544aebc

    • SHA1

      8f6b9a18e180ec012be9d12ddf8c2ab79e1fe990

    • SHA256

      6956fe608e1cbcac4888a11b3a9815451289a38bb3fdb82c29f8f8ad593b209d

    • SHA512

      c493831b0baf1f5d96921ec21ddef85b0e9e45e6ef7ebb5f82fc8da081d3fa6ee6d9fd3efec47be603ff3ae474f9fdabbff1ae530155e715eab588c09f46e980

    • SSDEEP

      49152:PWkv2p8AKHzTc8b6ZgeZ50xGktV/Cg1beUU++JKpqmPfgwvc+XXgGALr28:n2pJ2zIjZg0NkLqk+XSfdvzXXGG8

    Score
    10/10
    dcratdiscoveryevasioninfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks