General
-
Target
JaffaCakes118_3d2ba41c1ffe859614445f6a7b36e30075d581387e8480b4fb3c44a90ad4224b
-
Size
1.3MB
-
Sample
241221-xw823axjcw
-
MD5
d570c2c1d9764c8825741e010d5684d1
-
SHA1
9f61d4416189eb1631ecf7dc4e224a3eb379ab73
-
SHA256
3d2ba41c1ffe859614445f6a7b36e30075d581387e8480b4fb3c44a90ad4224b
-
SHA512
6a3ba3ca0a1f9bc7baa7411a711fb7ea2519acd14ec8354b972aa33b30115017248f6268fec953507d23dd621dd3820827a17d9d53b8fd0c2b238350bdc42364
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Behavioral task
behavioral1
Sample
JaffaCakes118_3d2ba41c1ffe859614445f6a7b36e30075d581387e8480b4fb3c44a90ad4224b.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_3d2ba41c1ffe859614445f6a7b36e30075d581387e8480b4fb3c44a90ad4224b.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
JaffaCakes118_3d2ba41c1ffe859614445f6a7b36e30075d581387e8480b4fb3c44a90ad4224b
-
Size
1.3MB
-
MD5
d570c2c1d9764c8825741e010d5684d1
-
SHA1
9f61d4416189eb1631ecf7dc4e224a3eb379ab73
-
SHA256
3d2ba41c1ffe859614445f6a7b36e30075d581387e8480b4fb3c44a90ad4224b
-
SHA512
6a3ba3ca0a1f9bc7baa7411a711fb7ea2519acd14ec8354b972aa33b30115017248f6268fec953507d23dd621dd3820827a17d9d53b8fd0c2b238350bdc42364
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-