General

  • Target

    JaffaCakes118_54c697a6c87bf530998fd17ff51e87b09194bce09cc0647535815ae3ed1872f3

  • Size

    1.3MB

  • Sample

    241221-y3pgnsymfs

  • MD5

    70a3a73630cf2f1b5e514f82589f7c69

  • SHA1

    b8eb8c8de83226ef6411be5423cf1bc610b33a11

  • SHA256

    54c697a6c87bf530998fd17ff51e87b09194bce09cc0647535815ae3ed1872f3

  • SHA512

    183d92e6c120b610f95cfc3b025b0664c7f713b88e3aaff1fec916783566e5c579be9dd2dc504e56d2662a554731ca3a1def0647057df1cbd3bef4955292c895

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      JaffaCakes118_54c697a6c87bf530998fd17ff51e87b09194bce09cc0647535815ae3ed1872f3

    • Size

      1.3MB

    • MD5

      70a3a73630cf2f1b5e514f82589f7c69

    • SHA1

      b8eb8c8de83226ef6411be5423cf1bc610b33a11

    • SHA256

      54c697a6c87bf530998fd17ff51e87b09194bce09cc0647535815ae3ed1872f3

    • SHA512

      183d92e6c120b610f95cfc3b025b0664c7f713b88e3aaff1fec916783566e5c579be9dd2dc504e56d2662a554731ca3a1def0647057df1cbd3bef4955292c895

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks