Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 21:54
Behavioral task
behavioral1
Sample
JaffaCakes118_684210eed10e6648cc76666b9fe3ff3eb11a0c0e116d50f544a0c64426020517.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_684210eed10e6648cc76666b9fe3ff3eb11a0c0e116d50f544a0c64426020517.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_684210eed10e6648cc76666b9fe3ff3eb11a0c0e116d50f544a0c64426020517.exe
-
Size
1.3MB
-
MD5
0aeb807ee871896a9fe1051a177732dd
-
SHA1
e152cb062284e26e048d503d418d9be3cd901773
-
SHA256
684210eed10e6648cc76666b9fe3ff3eb11a0c0e116d50f544a0c64426020517
-
SHA512
40580d6f8ec1cbf1a62209d337d9409d8ee5abfb278333203fa86b34f689e57d66add5eb09c01fed01bdc7b73c46a7e2b6d17def978b7cc788dfcc46b6af0772
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 996 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 848 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 480 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 2976 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2976 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x00080000000174bf-11.dat dcrat behavioral1/memory/2664-13-0x0000000000DD0000-0x0000000000EE0000-memory.dmp dcrat behavioral1/memory/1412-36-0x00000000010B0000-0x00000000011C0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2392 powershell.exe 2168 powershell.exe 2116 powershell.exe 2164 powershell.exe 328 powershell.exe 3056 powershell.exe 2300 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 2664 DllCommonsvc.exe 1412 explorer.exe -
Loads dropped DLL 2 IoCs
pid Process 2688 cmd.exe 2688 cmd.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows Sidebar\fr-FR\conhost.exe DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\fr-FR\088424020bedd6 DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\explorer.exe DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\7a0fd90576e088 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_684210eed10e6648cc76666b9fe3ff3eb11a0c0e116d50f544a0c64426020517.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2044 schtasks.exe 796 schtasks.exe 1240 schtasks.exe 480 schtasks.exe 2584 schtasks.exe 2644 schtasks.exe 2396 schtasks.exe 1008 schtasks.exe 2860 schtasks.exe 2124 schtasks.exe 996 schtasks.exe 1580 schtasks.exe 1056 schtasks.exe 1576 schtasks.exe 2160 schtasks.exe 2028 schtasks.exe 848 schtasks.exe 2368 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2664 DllCommonsvc.exe 3056 powershell.exe 2392 powershell.exe 2168 powershell.exe 2164 powershell.exe 2116 powershell.exe 328 powershell.exe 2300 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2664 DllCommonsvc.exe Token: SeDebugPrivilege 3056 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 2116 powershell.exe Token: SeDebugPrivilege 328 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 1412 explorer.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2788 wrote to memory of 2816 2788 JaffaCakes118_684210eed10e6648cc76666b9fe3ff3eb11a0c0e116d50f544a0c64426020517.exe 30 PID 2788 wrote to memory of 2816 2788 JaffaCakes118_684210eed10e6648cc76666b9fe3ff3eb11a0c0e116d50f544a0c64426020517.exe 30 PID 2788 wrote to memory of 2816 2788 JaffaCakes118_684210eed10e6648cc76666b9fe3ff3eb11a0c0e116d50f544a0c64426020517.exe 30 PID 2788 wrote to memory of 2816 2788 JaffaCakes118_684210eed10e6648cc76666b9fe3ff3eb11a0c0e116d50f544a0c64426020517.exe 30 PID 2816 wrote to memory of 2688 2816 WScript.exe 31 PID 2816 wrote to memory of 2688 2816 WScript.exe 31 PID 2816 wrote to memory of 2688 2816 WScript.exe 31 PID 2816 wrote to memory of 2688 2816 WScript.exe 31 PID 2688 wrote to memory of 2664 2688 cmd.exe 33 PID 2688 wrote to memory of 2664 2688 cmd.exe 33 PID 2688 wrote to memory of 2664 2688 cmd.exe 33 PID 2688 wrote to memory of 2664 2688 cmd.exe 33 PID 2664 wrote to memory of 2116 2664 DllCommonsvc.exe 53 PID 2664 wrote to memory of 2116 2664 DllCommonsvc.exe 53 PID 2664 wrote to memory of 2116 2664 DllCommonsvc.exe 53 PID 2664 wrote to memory of 2164 2664 DllCommonsvc.exe 54 PID 2664 wrote to memory of 2164 2664 DllCommonsvc.exe 54 PID 2664 wrote to memory of 2164 2664 DllCommonsvc.exe 54 PID 2664 wrote to memory of 328 2664 DllCommonsvc.exe 55 PID 2664 wrote to memory of 328 2664 DllCommonsvc.exe 55 PID 2664 wrote to memory of 328 2664 DllCommonsvc.exe 55 PID 2664 wrote to memory of 2168 2664 DllCommonsvc.exe 56 PID 2664 wrote to memory of 2168 2664 DllCommonsvc.exe 56 PID 2664 wrote to memory of 2168 2664 DllCommonsvc.exe 56 PID 2664 wrote to memory of 3056 2664 DllCommonsvc.exe 58 PID 2664 wrote to memory of 3056 2664 DllCommonsvc.exe 58 PID 2664 wrote to memory of 3056 2664 DllCommonsvc.exe 58 PID 2664 wrote to memory of 2392 2664 DllCommonsvc.exe 60 PID 2664 wrote to memory of 2392 2664 DllCommonsvc.exe 60 PID 2664 wrote to memory of 2392 2664 DllCommonsvc.exe 60 PID 2664 wrote to memory of 2300 2664 DllCommonsvc.exe 62 PID 2664 wrote to memory of 2300 2664 DllCommonsvc.exe 62 PID 2664 wrote to memory of 2300 2664 DllCommonsvc.exe 62 PID 2664 wrote to memory of 1412 2664 DllCommonsvc.exe 67 PID 2664 wrote to memory of 1412 2664 DllCommonsvc.exe 67 PID 2664 wrote to memory of 1412 2664 DllCommonsvc.exe 67 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_684210eed10e6648cc76666b9fe3ff3eb11a0c0e116d50f544a0c64426020517.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_684210eed10e6648cc76666b9fe3ff3eb11a0c0e116d50f544a0c64426020517.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\fr-FR\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Program Files (x86)\Internet Explorer\it-IT\explorer.exe"C:\Program Files (x86)\Internet Explorer\it-IT\explorer.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\fr-FR\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\fr-FR\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\fr-FR\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f785f03dc2fd6cf7c0d0a22034166caa
SHA13b1bbece4f077402026c9768700cfdfbfda8e93a
SHA256e0413b5b21872040f10d6ed456d0d7c9ae159cddf11ab6e193c0560584b506b0
SHA512b071e73cb5038e53cde9b51351772097955a0f0e16b2899a50f78da64cce45ae0037dc7d5c1465715c3e8be471d73e3e787913d1302333e6445feb4eb3907a81
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394