General
-
Target
JaffaCakes118_ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138
-
Size
1.3MB
-
Sample
241221-x5lywsxnar
-
MD5
1ba91bf9dd57860a1c06b74732e50ea8
-
SHA1
7d1307ff0d4af4a37c69a5feffd54aaf9c590376
-
SHA256
ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138
-
SHA512
51308f98be76dcc1e1ac3234121098e34c13871560b12a0d44316d9ebc5acccbff7f0896ed461c2c141f88d679808e985f0642369e7fe6ec98dee1e719ad14fe
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Behavioral task
behavioral1
Sample
JaffaCakes118_ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
JaffaCakes118_ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138
-
Size
1.3MB
-
MD5
1ba91bf9dd57860a1c06b74732e50ea8
-
SHA1
7d1307ff0d4af4a37c69a5feffd54aaf9c590376
-
SHA256
ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138
-
SHA512
51308f98be76dcc1e1ac3234121098e34c13871560b12a0d44316d9ebc5acccbff7f0896ed461c2c141f88d679808e985f0642369e7fe6ec98dee1e719ad14fe
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-