General

  • Target

    JaffaCakes118_148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74

  • Size

    1.3MB

  • Sample

    241221-w448eawmbr

  • MD5

    2a2f491aa6f9963908916033c9cedd3c

  • SHA1

    fe26fa5085318afe6c8e35924c524906c410b075

  • SHA256

    148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74

  • SHA512

    27fa84df57c93eb04be0de81cf38322b0e454651a07599397441f178837b9112c2e8eadb7db43bf7aa5f557cd293c0a5f610b1da971fc02a1f5855112433cfd4

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      JaffaCakes118_148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74

    • Size

      1.3MB

    • MD5

      2a2f491aa6f9963908916033c9cedd3c

    • SHA1

      fe26fa5085318afe6c8e35924c524906c410b075

    • SHA256

      148628a65c9d0b7e3085682e6f6f175930eb292667560b125c9b15eb880fbc74

    • SHA512

      27fa84df57c93eb04be0de81cf38322b0e454651a07599397441f178837b9112c2e8eadb7db43bf7aa5f557cd293c0a5f610b1da971fc02a1f5855112433cfd4

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks