General

  • Target

    JaffaCakes118_3d2ba41c1ffe859614445f6a7b36e30075d581387e8480b4fb3c44a90ad4224b

  • Size

    1.3MB

  • Sample

    241221-xw823axjcw

  • MD5

    d570c2c1d9764c8825741e010d5684d1

  • SHA1

    9f61d4416189eb1631ecf7dc4e224a3eb379ab73

  • SHA256

    3d2ba41c1ffe859614445f6a7b36e30075d581387e8480b4fb3c44a90ad4224b

  • SHA512

    6a3ba3ca0a1f9bc7baa7411a711fb7ea2519acd14ec8354b972aa33b30115017248f6268fec953507d23dd621dd3820827a17d9d53b8fd0c2b238350bdc42364

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      JaffaCakes118_3d2ba41c1ffe859614445f6a7b36e30075d581387e8480b4fb3c44a90ad4224b

    • Size

      1.3MB

    • MD5

      d570c2c1d9764c8825741e010d5684d1

    • SHA1

      9f61d4416189eb1631ecf7dc4e224a3eb379ab73

    • SHA256

      3d2ba41c1ffe859614445f6a7b36e30075d581387e8480b4fb3c44a90ad4224b

    • SHA512

      6a3ba3ca0a1f9bc7baa7411a711fb7ea2519acd14ec8354b972aa33b30115017248f6268fec953507d23dd621dd3820827a17d9d53b8fd0c2b238350bdc42364

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks