dcrat | af00e3c4645fac761a47656f84d5c2036307f00bb01a6fc5be008e5839e4a010

General

Target

fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
Size

1.2MB
MD5

fd4a3af3861edfa99ca15c7b6dff39b2
SHA1

00cd93349f4ab8a3b5896440e31dc899cd8585b6
SHA256

af00e3c4645fac761a47656f84d5c2036307f00bb01a6fc5be008e5839e4a010
SHA512

8e447c4c017f3573b7c13b01fa6f2bebcc24ebf7b1ca859fc216b16003b0feec95b21a45906c0d6d180a312a73a9b8c4b0cf9c7db336f3ba8d449a39ba09be4b
SSDEEP

12288:BgHD+WWwXwSqYkjyPnV8GH2Yhpgqx+5R9BIPkMj3lH4cLRCUwphVlEAJqn4:BM+WnHMjyPV8o2Yv+YL31/LCtJ+4

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2904	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2256-1-0x0000000000BB0000-0x0000000000CDE000-memory.dmp	dcrat
behavioral1/files/0x00050000000194da-11.dat	dcrat
behavioral1/memory/764-25-0x0000000000030000-0x000000000015E000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
764	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052916-0\\fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe\""	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\1b8b1de2-69f6-11ef-9774-62cb582c238c\\winlogon.exe\""	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\dmdskres2\\dwm.exe\""	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\WmiPrvSE.exe\""	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\wiatrace\\wininit.exe\""	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\wlansvc\\taskhost.exe\""	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\WF\\dwm.exe\""	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\dmdskres2\dwm.exe	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
File created	C:\Windows\System32\dmdskres2\6cb0b6c459d5d3455a3da700e713f2e2529862ff	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
File created	C:\Windows\System32\wiatrace\wininit.exe	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
File created	C:\Windows\System32\wiatrace\560854153607923c4c5f107085a7db67be01f252	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
File created	C:\Windows\System32\wlansvc\taskhost.exe	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
File created	C:\Windows\System32\wlansvc\b75386f1303e64d8139363b71e44ac16341adf4e	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
File created	C:\Windows\System32\WF\dwm.exe	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
File created	C:\Windows\System32\WF\6cb0b6c459d5d3455a3da700e713f2e2529862ff	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\it-IT\WmiPrvSE.exe	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\24dbde2999530ef5fd907494bc374d663924116c	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2720	schtasks.exe
2852	schtasks.exe
2656	schtasks.exe
2620	schtasks.exe
2536	schtasks.exe
2316	schtasks.exe
2828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2256	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
2256	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
2256	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
764	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
Token: SeDebugPrivilege	764	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 1860	2256	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe	38
PID 2256 wrote to memory of 1860	2256	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe	38
PID 2256 wrote to memory of 1860	2256	fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe	38
PID 1860 wrote to memory of 2108	1860	cmd.exe	40
PID 1860 wrote to memory of 2108	1860	cmd.exe	40
PID 1860 wrote to memory of 2108	1860	cmd.exe	40
PID 1860 wrote to memory of 1624	1860	cmd.exe	41
PID 1860 wrote to memory of 1624	1860	cmd.exe	41
PID 1860 wrote to memory of 1624	1860	cmd.exe	41
PID 1860 wrote to memory of 764	1860	cmd.exe	42
PID 1860 wrote to memory of 764	1860	cmd.exe	42
PID 1860 wrote to memory of 764	1860	cmd.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cAEvpYkO6g.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2108
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1624
- - C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052916-0\fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052916-0\fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052916-0\fd4a3af3861edfa99ca15c7b6dff39b2_JaffaCakes118.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\dmdskres2\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\wiatrace\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\wlansvc\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\WF\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cAEvpYkO6g.bat

Filesize
327B

MD5
d819e9ea81893a824fb579d614776c1a

SHA1
e458dc82ee2b5342698a1590e108b3d41a6b3c3f

SHA256
d4956b8604838dfe0219d45ed8c7b2ee79eea2d5eb499b565cdf6d3373a86157

SHA512
934fbf1c2e741e8ea6e5f3d549945125f56dbc596556e3df601f044686ae35bf18857148c197ddc104cd8899833c621b2c821e8549e6d7daf0d3ad3332d9fb49

Download Submit
C:\Windows\System32\wiatrace\wininit.exe

Filesize
1.2MB

MD5
fd4a3af3861edfa99ca15c7b6dff39b2

SHA1
00cd93349f4ab8a3b5896440e31dc899cd8585b6

SHA256
af00e3c4645fac761a47656f84d5c2036307f00bb01a6fc5be008e5839e4a010

SHA512
8e447c4c017f3573b7c13b01fa6f2bebcc24ebf7b1ca859fc216b16003b0feec95b21a45906c0d6d180a312a73a9b8c4b0cf9c7db336f3ba8d449a39ba09be4b

Download Submit
memory/764-25-0x0000000000030000-0x000000000015E000-memory.dmp

Filesize
1.2MB

Download
memory/2256-0-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

Filesize
4KB

Download
memory/2256-1-0x0000000000BB0000-0x0000000000CDE000-memory.dmp

Filesize
1.2MB

Download
memory/2256-2-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2256-22-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads