General
-
Target
JaffaCakes118_03a152a1815481d353ca65607ec1b67caed513269d0765354ccd513eaf9fd552
-
Size
1.3MB
-
Sample
241221-xre87axjgk
-
MD5
2dc1b0fa6b9ddfa76ffc8435a4bb5b12
-
SHA1
45899195faa8c728a887677fd4548196a6743e04
-
SHA256
03a152a1815481d353ca65607ec1b67caed513269d0765354ccd513eaf9fd552
-
SHA512
f8daa566116c4262819fae3038c797936e2b1fd3dc4343b30dbdb7defd6edfccff9975c970218144c0181d4c1ed50524675fddf85ab77a3ee6e65576e34d4154
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Behavioral task
behavioral1
Sample
JaffaCakes118_03a152a1815481d353ca65607ec1b67caed513269d0765354ccd513eaf9fd552.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_03a152a1815481d353ca65607ec1b67caed513269d0765354ccd513eaf9fd552.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
JaffaCakes118_03a152a1815481d353ca65607ec1b67caed513269d0765354ccd513eaf9fd552
-
Size
1.3MB
-
MD5
2dc1b0fa6b9ddfa76ffc8435a4bb5b12
-
SHA1
45899195faa8c728a887677fd4548196a6743e04
-
SHA256
03a152a1815481d353ca65607ec1b67caed513269d0765354ccd513eaf9fd552
-
SHA512
f8daa566116c4262819fae3038c797936e2b1fd3dc4343b30dbdb7defd6edfccff9975c970218144c0181d4c1ed50524675fddf85ab77a3ee6e65576e34d4154
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-