General

  • Target

    JaffaCakes118_684210eed10e6648cc76666b9fe3ff3eb11a0c0e116d50f544a0c64426020517

  • Size

    1.3MB

  • Sample

    241221-1sn49s1jex

  • MD5

    0aeb807ee871896a9fe1051a177732dd

  • SHA1

    e152cb062284e26e048d503d418d9be3cd901773

  • SHA256

    684210eed10e6648cc76666b9fe3ff3eb11a0c0e116d50f544a0c64426020517

  • SHA512

    40580d6f8ec1cbf1a62209d337d9409d8ee5abfb278333203fa86b34f689e57d66add5eb09c01fed01bdc7b73c46a7e2b6d17def978b7cc788dfcc46b6af0772

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      JaffaCakes118_684210eed10e6648cc76666b9fe3ff3eb11a0c0e116d50f544a0c64426020517

    • Size

      1.3MB

    • MD5

      0aeb807ee871896a9fe1051a177732dd

    • SHA1

      e152cb062284e26e048d503d418d9be3cd901773

    • SHA256

      684210eed10e6648cc76666b9fe3ff3eb11a0c0e116d50f544a0c64426020517

    • SHA512

      40580d6f8ec1cbf1a62209d337d9409d8ee5abfb278333203fa86b34f689e57d66add5eb09c01fed01bdc7b73c46a7e2b6d17def978b7cc788dfcc46b6af0772

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks