General
-
Target
JaffaCakes118_148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74
-
Size
1.3MB
-
Sample
241221-w448eawmbr
-
MD5
2a2f491aa6f9963908916033c9cedd3c
-
SHA1
fe26fa5085318afe6c8e35924c524906c410b075
-
SHA256
148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74
-
SHA512
27fa84df57c93eb04be0de81cf38322b0e454651a07599397441f178837b9112c2e8eadb7db43bf7aa5f557cd293c0a5f610b1da971fc02a1f5855112433cfd4
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Behavioral task
behavioral1
Sample
JaffaCakes118_148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
JaffaCakes118_148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74
-
Size
1.3MB
-
MD5
2a2f491aa6f9963908916033c9cedd3c
-
SHA1
fe26fa5085318afe6c8e35924c524906c410b075
-
SHA256
148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74
-
SHA512
27fa84df57c93eb04be0de81cf38322b0e454651a07599397441f178837b9112c2e8eadb7db43bf7aa5f557cd293c0a5f610b1da971fc02a1f5855112433cfd4
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-