General

  • Target

    JaffaCakes118_b070f48074efb0306bd86471d4342e4e73de4f0f5e63c8daff11885c5491746e

  • Size

    1.3MB

  • Sample

    241221-xtjpdswrcx

  • MD5

    c053b0ac8d5cb6b5c3dec09711e65bda

  • SHA1

    db0fa202ee389c6b1c9a5873762997de43a8e22c

  • SHA256

    b070f48074efb0306bd86471d4342e4e73de4f0f5e63c8daff11885c5491746e

  • SHA512

    3a1666ad4daaee27fe4b092e9066f18aa1eb9b3b1bbd297287a63d2b8f05f37e0a541b04061602fe3f18aaa77362654de9d233d4cf816a6d8d952341960e182a

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      JaffaCakes118_b070f48074efb0306bd86471d4342e4e73de4f0f5e63c8daff11885c5491746e

    • Size

      1.3MB

    • MD5

      c053b0ac8d5cb6b5c3dec09711e65bda

    • SHA1

      db0fa202ee389c6b1c9a5873762997de43a8e22c

    • SHA256

      b070f48074efb0306bd86471d4342e4e73de4f0f5e63c8daff11885c5491746e

    • SHA512

      3a1666ad4daaee27fe4b092e9066f18aa1eb9b3b1bbd297287a63d2b8f05f37e0a541b04061602fe3f18aaa77362654de9d233d4cf816a6d8d952341960e182a

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks