Overview

overview

10

Static

static

10

e9b76dd40f...18.exe

windows7-x64

10

e9b76dd40f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2024 03:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9b76dd40f3d6b54aeb329467f261094_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    e9b76dd40f3d6b54aeb329467f261094

  • SHA1

    f9c949ff9fee524fb7eefa3ce816adce0c1d78fd

  • SHA256

    d28b646c459395738563e52b8ec7e831da311cb91c7b627aa5c9268117c32337

  • SHA512

    3fb509e2b042d3abc89a3c72d3df7a45561461eeb4f39e1cce1f2c1d939b6206a898507a0074d2c1c24a80fb18e12b4e4c555a2dea5e8b3c563c6ea2e0bdee04

  • SSDEEP

    24576:W2G/nvxW3W12U3WE31ghc4xzo3WdXRupmYvjfk19F37MSxTi/DJlT+4n:WbA3CWVCh3WLkmYrfKg/DiI

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 8 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 7 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9b76dd40f3d6b54aeb329467f261094_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e9b76dd40f3d6b54aeb329467f261094_JaffaCakes118.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Runtimeperfnet\1syNKYwmRXGdL3fLPtIqT.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1144
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Runtimeperfnet\ZSSFBj4h8UyaWrgI.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4196
        • C:\Runtimeperfnet\RuntimeperfnetDriversavesdll.exe
          "C:\Runtimeperfnet\RuntimeperfnetDriversavesdll.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:876
          • C:\Windows\System32\cfmifsproxy\sihost.exe
            "C:\Windows\System32\cfmifsproxy\sihost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3588
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeperfnetDriversavesdll" /sc ONLOGON /tr "'C:\Documents and Settings\RuntimeperfnetDriversavesdll.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3100
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\PerfLogs\smss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3044
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\cfmifsproxy\sihost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:216
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\MbaeApiPublic\cmd.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3520
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Documents and Settings\smss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2568
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Documents and Settings\conhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4056
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\twain_32\explorer.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Runtimeperfnet\1syNKYwmRXGdL3fLPtIqT.vbe
    Filesize

    207B

    MD5

    37cf337b8f57bdb83988391601c164fd

    SHA1

    3addd11c005d3f111b5158b114b0dc8b9ee9836e

    SHA256

    c91a015ddbed9ee199867730961b1ee293cf257b0abc260d35e53dc23b8a87af

    SHA512

    d3a2c40786628a01b37c93e20f9d82512a5c53881b7f6db5e5babd4f7e92893526a794dc5652f3cf342bed40eb3a4a56e2404b0198f7b24093958ac825b49451

    Download Submit

  • C:\Runtimeperfnet\RuntimeperfnetDriversavesdll.exe
    Filesize

    1.1MB

    MD5

    8169d77b386f287c2a82e16b4946eec3

    SHA1

    40d37a341d757efa9f3bdccecd76d7bd4aa76827

    SHA256

    12215f07467ec46ec06d2a1c734dc0dc40d66c3b27bcebaebbdc3f0f0792c450

    SHA512

    9d82106531ddf6d452b229977956aa719b1f0ad7b20fdc328ec6b0bcd7e7915a132df12087f1c87e835808d4c8763e167f7ee9462ec1e53e3099fd4b34d18639

    Download Submit

  • C:\Runtimeperfnet\ZSSFBj4h8UyaWrgI.bat
    Filesize

    52B

    MD5

    324b5e03c3a74a39afd97c6021786a36

    SHA1

    68e090d02ddef65f18fc7539cfca1851e3aee226

    SHA256

    ce90253c373590ee106fdf14419dbac112d81955c57c9194029bd462bd90d3ec

    SHA512

    8f6f45347b682baa3aa4e5307586f6c29dc6d6fb557427e887950bf947bde2bab3cecedfd70caabfa6ec5d22041988c59a096fce3224bb0d71bc3d8afcef28bd

    Download Submit

  • memory/876-12-0x00007FFC7E803000-0x00007FFC7E805000-memory.dmp

    Filesize

    8KB

    Download

  • memory/876-13-0x0000000000CE0000-0x0000000000DF6000-memory.dmp

    Filesize

    1.1MB

    Download