Overview

overview

10

Static

static

3

d6b63143f7...18.exe

windows7-x64

10

d6b63143f7...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d6b63143f76d9661a29075bdb205db9c_JaffaCakes118

  • Size

    2.6MB

  • Sample

    241208-m5j47a1qaw

  • MD5

    d6b63143f76d9661a29075bdb205db9c

  • SHA1

    ade973a99a0fd7af906a7ee9c1262e26ce8a0570

  • SHA256

    7c6d4716d6d2274220e6424c2a7db27abda4f800276daea601364deda8c2382b

  • SHA512

    1e647a3510b6d2bf2ff351bf4bbe3a6735de5f3f2a2ce72e66706b057789e4ac279ffe0276db2148b1ed36e381d32065129c2738ad5a8c1dba140e75a926c38a

  • SSDEEP

    49152:us9anL1IVFg88eMQR0wJDJKe9GiEl/H876hFXw4wC4QfJjPpcBjYr2Ox:uYY1R8eQHJDJKejElU7EFXwzC4QdOjYN

Score
10/10
dcratdiscoveryevasioninfostealerpersistencerat

Malware Config

Targets

    • Target

      d6b63143f76d9661a29075bdb205db9c_JaffaCakes118

    • Size

      2.6MB

    • MD5

      d6b63143f76d9661a29075bdb205db9c

    • SHA1

      ade973a99a0fd7af906a7ee9c1262e26ce8a0570

    • SHA256

      7c6d4716d6d2274220e6424c2a7db27abda4f800276daea601364deda8c2382b

    • SHA512

      1e647a3510b6d2bf2ff351bf4bbe3a6735de5f3f2a2ce72e66706b057789e4ac279ffe0276db2148b1ed36e381d32065129c2738ad5a8c1dba140e75a926c38a

    • SSDEEP

      49152:us9anL1IVFg88eMQR0wJDJKe9GiEl/H876hFXw4wC4QfJjPpcBjYr2Ox:uYY1R8eQHJDJKejElU7EFXwzC4QdOjYN

    Score
    10/10
    dcratdiscoveryevasioninfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks