General

  • Target

    JaffaCakes118_782ca4ff1846fb733c50728d0412e51d1f0c04889b56aed5c6749814b143dbea

  • Size

    1.3MB

  • Sample

    241221-3raxcsvkbr

  • MD5

    25687a768df356781ffccce530b81577

  • SHA1

    b5e7dc60f8f1c3704bb5b930093d7c2519343acd

  • SHA256

    782ca4ff1846fb733c50728d0412e51d1f0c04889b56aed5c6749814b143dbea

  • SHA512

    6aedcf4071d41ad1bc622e6d0fa0ecf29497b64c8d5b063bf60475e7407f729ff931bc651f61d1ba9868dd28c0a9c8ac04b06e3d6cffab460fe66c7d4633da47

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      JaffaCakes118_782ca4ff1846fb733c50728d0412e51d1f0c04889b56aed5c6749814b143dbea

    • Size

      1.3MB

    • MD5

      25687a768df356781ffccce530b81577

    • SHA1

      b5e7dc60f8f1c3704bb5b930093d7c2519343acd

    • SHA256

      782ca4ff1846fb733c50728d0412e51d1f0c04889b56aed5c6749814b143dbea

    • SHA512

      6aedcf4071d41ad1bc622e6d0fa0ecf29497b64c8d5b063bf60475e7407f729ff931bc651f61d1ba9868dd28c0a9c8ac04b06e3d6cffab460fe66c7d4633da47

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks