Analysis
-
max time kernel
145s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21-12-2024 22:40
General
-
Target
JaffaCakes118_3dbd4253c05c7ea1dbf0f2065af370940f6931dffa78de3fe7ff208933aaa946.exe
-
Size
1.3MB
-
MD5
60b358c57dea76d4844b2ebed31a4cec
-
SHA1
0b338d958f74dce6deb747ac3255147138108eb7
-
SHA256
3dbd4253c05c7ea1dbf0f2065af370940f6931dffa78de3fe7ff208933aaa946
-
SHA512
6f494c36198ce1f7c5161e002bf3908ed338483765affef952272f657ce53caeb6b664cfba9ec891e74d8a8bec5a575149fa9f3c333170d0df23b16895638ba1
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 9 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 9 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3dbd4253c05c7ea1dbf0f2065af370940f6931dffa78de3fe7ff208933aaa946.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3dbd4253c05c7ea1dbf0f2065af370940f6931dffa78de3fe7ff208933aaa946.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\More Games\fr-FR\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Uninstall Information\audiodg.exe"C:\Program Files\Uninstall Information\audiodg.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Program Files\Uninstall Information\audiodg.exe"C:\Program Files\Uninstall Information\audiodg.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Program Files\Uninstall Information\audiodg.exe"C:\Program Files\Uninstall Information\audiodg.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\Program Files\Uninstall Information\audiodg.exe"C:\Program Files\Uninstall Information\audiodg.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qUPyb5cGVE.bat"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\Program Files\Uninstall Information\audiodg.exe"C:\Program Files\Uninstall Information\audiodg.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat"14⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵
-
-
C:\Program Files\Uninstall Information\audiodg.exe"C:\Program Files\Uninstall Information\audiodg.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8wkcP7O697.bat"16⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
C:\Program Files\Uninstall Information\audiodg.exe"C:\Program Files\Uninstall Information\audiodg.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat"18⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵
-
-
C:\Program Files\Uninstall Information\audiodg.exe"C:\Program Files\Uninstall Information\audiodg.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\More Games\fr-FR\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\More Games\fr-FR\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\More Games\fr-FR\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD596df4645be9980271008034a8a0e598a
SHA1e1ebe782ebbd5d4c0bb044b6a1c35d09513c464d
SHA25659310ce4d312eee1ee02e5cc1381db72e866c86ac2e41bec1a84c6b5aeee5315
SHA512b83bbd7cb63139b6500f324a855a561a08aa3e3a21f78433f149b8ca81909d45e2cc89d94cb4e1685b6606a00087c68b8a18c50553f8840a63ad507c6f70af1b
-
Filesize
342B
MD56a321c47d8bf4bfd49a67ffc60175f10
SHA1e17221c9cd6ade3591a1f50d252f985c513da706
SHA256376ada2d59f0c229ba543c07d8ff79572666847db4836aef89ada07e9f644353
SHA512316cf478f7df3bf338a5689cf1b056ea6fbeb6f333fa412e54c2b6006c5eae887d429cd1a41133e66a4871ba2ad43d7b8d08b51c0a8b58584766d34883077c8b
-
Filesize
342B
MD51daa471b7b18b831a126b1b5fde35d7c
SHA1dfaa49f9217ab0a39bfed1ce88975a810b303433
SHA256a20727decc5abbc35551910bc8cd04a460b2dbe1f6061ac3623dc3dcab665752
SHA512490a7ebd1e36e36a422c855b15fca8871595be4d80ac588e5344e7c551213e83f61422b3261fd5818356843cb7f956194cfb6ea402b1c9a2e35c9a65c89214a1
-
Filesize
342B
MD5ffad486f0662c6c3b3e8eeb77b89ec21
SHA16096057eed09915d08ce66e13dfbbaf0534b3b3b
SHA2562a4c0c67cada839143d2d88247d3afd25526b7e29a9ddc5018484e93e3d7c1f8
SHA512438d7293b252c376eb832e6155a84dc48d3996fad287df2954533aa428d60d1f66477f20b963e55275dff123e75fed29f3aa2c84fabe9d0a18fed3a4ae3f2a50
-
Filesize
342B
MD5bb304dde89e4c1851e75293c0333508d
SHA1b1ed94943c51774189146c1b21a7e2eb9d6fe625
SHA2561ef7f0c2005895e8156daa317bf62e48a04f51f410e2f11508ef1f6100c65930
SHA512b9d295fb00a9da2b54a44f99c0f85e9de5ae4f9583637bfcc6d03fe94b4af87d0bb945c4e170ea7d31edc5cd18d52f5dc3c5b82916ff510c152ab504fb717dad
-
Filesize
342B
MD5be47bff68f2758bf2b5a60b17fdb123e
SHA12bde88c7a9c7aff4e9a98c6470d669e4c80fa7dc
SHA256621181c135f84b5b29e0ab64fe7fce2f05fdab9d38cecc8fb8f0a574aeaea351
SHA512e41a3d3fa4461e1f73b8dfc34bc980c76801e441326d4bcce4146802848686c14d5b336ffd42d8d90b7fb663da856a2418c2bee74659c28726f8d637dd845315
-
Filesize
215B
MD5239a4e70fdf6715a10212c428fb005bd
SHA17a487e97debf1e62787cebee3914b6d74733602b
SHA256adf0df8be2a97f10fff8e7c54dc8af51e03d8b1388a0b36bb1767a8f012f3a32
SHA5123394c9c07ac023f0a5b206cf775ba3a44b505fc78aeafdeaaec96bf9e73aa4e9eaef52639dc470f03d0340d62ac4d11cbeeba4f3e8fd976575b9aa10d88b0a61
-
Filesize
215B
MD5abcd660ac3c5abea1c1de50f08daceeb
SHA135c2ae1d582abdd06198a84b34fd106bc9f50f72
SHA2561b6afa8aef340e8a450a06a703e27ada9e40f97f7e2f6547a29432e4a49dff60
SHA5127c63d6e5a2cb60c022bec4841ba6c51ffcd6e4df406352340c911780e23f99120dde6800c487e3f54314f201c5a7b8acf227727eced7573daacb3ef59a6c7bb2
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
215B
MD52af0a7975ecb6ea1d692fed436164055
SHA123f7f116e05551c57f99f0385d328035ddfe90c4
SHA2560174399940864518ff3fde2dbab9c46e20e87b28d2f13435c8a244355f3ddf8c
SHA512fc8d238c6a4d2dd41b8d141f27f7879776db47f2cbb2164d51324e53a2437078b7944589f89226c96b200da96900d7c3bc24d1566e061c3e272ad78c3479d0d9
-
Filesize
215B
MD566d97b709d3b1cbe546f148a64e10991
SHA11fb8a6f59d0e9b0a91bb061221f7f68c6458b04b
SHA256b2ee0eb7aa0529aeaa2045ee4866d620fdee129507b6738f3c423c84526afaf1
SHA51204acaf7e190409fea25fcdba9cfe78d9ede4ef975bc3aa0606a402e830d661f16c6cc3f0ca88e49ca9a6b1d26b9f1e28a7b8145abb675a816e53873add370228
-
Filesize
215B
MD56ce7ea8b9e15f452eb95145b6621f29c
SHA1b57e0fbbb06ce4eda49f5e53866cd5f409148544
SHA2567cbbe02c5e7707f9d325b869d43ed94fa2217825770d2ac9805e9b0de9f2dc6f
SHA5124884abb924aef6ba77e0064fb9c721cac417b190439c379b505016caf6e130187032800b8522799913e85fd697c2b41e70cabc6a80be3684ed9a96c41babfed4
-
Filesize
215B
MD55e8904ae9730423bb5c60414db885960
SHA1459a131f2d0181be4b2f809a4d8afc6a244bea3b
SHA2561b3a139ec0ced33c04bbaf12f12bfde8727730032d3157172439aa27a28553f2
SHA512c390f1f8a6250a5604983af029ac7e15c94d566af50da961551ea9d51184ea6b41a07b095c1458a464d866ac573538b6a00d2265c4239db1ba86b793a1929b35
-
Filesize
215B
MD57e26e4200b8e97e6968f2795d2c4ce3d
SHA1daec945c694b8be3b7782eacc3047bb06626f11f
SHA2568acf715419c633467c64a128e0c9606086623aa303a77dfb232ca3bed4595b3f
SHA51230cbc5ef449622b850fc027b3aecda92426813810147f0836598dce341806a70e4035f082cf6380ed66edb3fd95d36e3b3ff3ac110437bd3731ef6585c94dfde
-
Filesize
7KB
MD5e616ece2f359c795de690e3b64072e93
SHA1659b050517066ee2f46a926b4c98ca3f6ff19584
SHA256b3db2d3674110bdd12a0fdc5a41e5c68046b648b489d64d9669ee1a07f7572cb
SHA51250bfc0ad98f02cbe2f47b8b44b8899d49a0d4798c6b17d94c1d9b3d14dfe58ea6ca1b9c0f67f94dfda8f1b07be6675ebe66d7a2dbf6106a454c817df410179d6
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB