General
-
Target
JaffaCakes118_2d7beace7d0ade562aa8f8236fbd441549b39c2c35a0dc4c72282afcb08201bc
-
Size
1.3MB
-
Sample
241221-3t4mfstrhx
-
MD5
17e6bc9413dc636635772cecaf1c96b9
-
SHA1
4a5149b9f76d9ba495779e01d6c6f18e27c34af8
-
SHA256
2d7beace7d0ade562aa8f8236fbd441549b39c2c35a0dc4c72282afcb08201bc
-
SHA512
e61be6fb009242ad172c9702cdf7919351c7aefba9e2cec317ec090e0fcd381c3fb5188cbbfac7e0863d4e1fbfc4529f11c6956b186c01f4d1d5c4d24145efd3
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Behavioral task
behavioral1
Sample
JaffaCakes118_2d7beace7d0ade562aa8f8236fbd441549b39c2c35a0dc4c72282afcb08201bc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_2d7beace7d0ade562aa8f8236fbd441549b39c2c35a0dc4c72282afcb08201bc.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
JaffaCakes118_2d7beace7d0ade562aa8f8236fbd441549b39c2c35a0dc4c72282afcb08201bc
-
Size
1.3MB
-
MD5
17e6bc9413dc636635772cecaf1c96b9
-
SHA1
4a5149b9f76d9ba495779e01d6c6f18e27c34af8
-
SHA256
2d7beace7d0ade562aa8f8236fbd441549b39c2c35a0dc4c72282afcb08201bc
-
SHA512
e61be6fb009242ad172c9702cdf7919351c7aefba9e2cec317ec090e0fcd381c3fb5188cbbfac7e0863d4e1fbfc4529f11c6956b186c01f4d1d5c4d24145efd3
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-