Overview

overview

10

Static

static

10

e9b76dd40f...18.exe

windows7-x64

10

e9b76dd40f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-12-2024 03:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9b76dd40f3d6b54aeb329467f261094_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    e9b76dd40f3d6b54aeb329467f261094

  • SHA1

    f9c949ff9fee524fb7eefa3ce816adce0c1d78fd

  • SHA256

    d28b646c459395738563e52b8ec7e831da311cb91c7b627aa5c9268117c32337

  • SHA512

    3fb509e2b042d3abc89a3c72d3df7a45561461eeb4f39e1cce1f2c1d939b6206a898507a0074d2c1c24a80fb18e12b4e4c555a2dea5e8b3c563c6ea2e0bdee04

  • SSDEEP

    24576:W2G/nvxW3W12U3WE31ghc4xzo3WdXRupmYvjfk19F37MSxTi/DJlT+4n:WbA3CWVCh3WLkmYrfKg/DiI

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 8 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 7 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9b76dd40f3d6b54aeb329467f261094_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e9b76dd40f3d6b54aeb329467f261094_JaffaCakes118.exe"
    1⤵
    • DcRat
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Runtimeperfnet\1syNKYwmRXGdL3fLPtIqT.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Runtimeperfnet\ZSSFBj4h8UyaWrgI.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Runtimeperfnet\RuntimeperfnetDriversavesdll.exe
          "C:\Runtimeperfnet\RuntimeperfnetDriversavesdll.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2300
          • C:\ProgramData\Microsoft Help\csrss.exe
            "C:\ProgramData\Microsoft Help\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1680
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\sqlceoledb30\dwm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2736
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2644
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2888
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Microsoft Help\csrss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2628
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\bthci\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2012
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2180
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Runtimeperfnet\1syNKYwmRXGdL3fLPtIqT.vbe
    Filesize

    207B

    MD5

    37cf337b8f57bdb83988391601c164fd

    SHA1

    3addd11c005d3f111b5158b114b0dc8b9ee9836e

    SHA256

    c91a015ddbed9ee199867730961b1ee293cf257b0abc260d35e53dc23b8a87af

    SHA512

    d3a2c40786628a01b37c93e20f9d82512a5c53881b7f6db5e5babd4f7e92893526a794dc5652f3cf342bed40eb3a4a56e2404b0198f7b24093958ac825b49451

    Download Submit

  • C:\Runtimeperfnet\RuntimeperfnetDriversavesdll.exe
    Filesize

    1.1MB

    MD5

    8169d77b386f287c2a82e16b4946eec3

    SHA1

    40d37a341d757efa9f3bdccecd76d7bd4aa76827

    SHA256

    12215f07467ec46ec06d2a1c734dc0dc40d66c3b27bcebaebbdc3f0f0792c450

    SHA512

    9d82106531ddf6d452b229977956aa719b1f0ad7b20fdc328ec6b0bcd7e7915a132df12087f1c87e835808d4c8763e167f7ee9462ec1e53e3099fd4b34d18639

    Download Submit

  • C:\Runtimeperfnet\ZSSFBj4h8UyaWrgI.bat
    Filesize

    52B

    MD5

    324b5e03c3a74a39afd97c6021786a36

    SHA1

    68e090d02ddef65f18fc7539cfca1851e3aee226

    SHA256

    ce90253c373590ee106fdf14419dbac112d81955c57c9194029bd462bd90d3ec

    SHA512

    8f6f45347b682baa3aa4e5307586f6c29dc6d6fb557427e887950bf947bde2bab3cecedfd70caabfa6ec5d22041988c59a096fce3224bb0d71bc3d8afcef28bd

    Download Submit

  • memory/1680-34-0x0000000000E70000-0x0000000000F86000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2300-13-0x00000000002F0000-0x0000000000406000-memory.dmp

    Filesize

    1.1MB

    Download