Resubmissions

08-12-2024 11:04

241208-m6n5ja1qcv 10

General

  • Target

    d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118

  • Size

    978KB

  • Sample

    241208-m6n5ja1qcv

  • MD5

    d6b8c1db03cd0f282e1718daf0dc35cf

  • SHA1

    33435de2eb5be3e242bc75d3c6722e6e1a9b866c

  • SHA256

    7849b02c1912451ca4703361443e161953750e9783ee237985db9cafaff76c04

  • SHA512

    fa8bc7754009e447c1a87bd1e8183e5138eb2a637a6a3853f546af48a3564522b634341f2ed09117048f549953010c7fc4d67a72194121e23171f5f3f8746c27

  • SSDEEP

    24576:gHmSroFu1bU2XbykgUD5G5/XjaTG5lgUChKw9NQLH:gH7k4lyzBdToG5Wj9U

Malware Config

Targets

    • Target

      d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118

    • Size

      978KB

    • MD5

      d6b8c1db03cd0f282e1718daf0dc35cf

    • SHA1

      33435de2eb5be3e242bc75d3c6722e6e1a9b866c

    • SHA256

      7849b02c1912451ca4703361443e161953750e9783ee237985db9cafaff76c04

    • SHA512

      fa8bc7754009e447c1a87bd1e8183e5138eb2a637a6a3853f546af48a3564522b634341f2ed09117048f549953010c7fc4d67a72194121e23171f5f3f8746c27

    • SSDEEP

      24576:gHmSroFu1bU2XbykgUD5G5/XjaTG5lgUChKw9NQLH:gH7k4lyzBdToG5Wj9U

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Disables service(s)

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Turns off Windows Defender SpyNet reporting

    • Windows security bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks