General

  • Target

    JaffaCakes118_d19bbafdd0fe699469222c154ad6c696b9adc6ea18c84fff3e4810b24151d389

  • Size

    1.3MB

  • Sample

    241221-z7enpsznev

  • MD5

    fbc0492478d6a0ce76f09ff19db60c65

  • SHA1

    c7815fb0ffeee30f98b6e762bdeb2c784d14f15a

  • SHA256

    d19bbafdd0fe699469222c154ad6c696b9adc6ea18c84fff3e4810b24151d389

  • SHA512

    4f6b740f9ef5b1fec951aaaeb3563832c95c61144de231f1b0e133bebe9ddf4eb94f071a730477003a9f4a7bb7ee1dcd0aabfb1292607aaabc1bae16356b7acf

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      JaffaCakes118_d19bbafdd0fe699469222c154ad6c696b9adc6ea18c84fff3e4810b24151d389

    • Size

      1.3MB

    • MD5

      fbc0492478d6a0ce76f09ff19db60c65

    • SHA1

      c7815fb0ffeee30f98b6e762bdeb2c784d14f15a

    • SHA256

      d19bbafdd0fe699469222c154ad6c696b9adc6ea18c84fff3e4810b24151d389

    • SHA512

      4f6b740f9ef5b1fec951aaaeb3563832c95c61144de231f1b0e133bebe9ddf4eb94f071a730477003a9f4a7bb7ee1dcd0aabfb1292607aaabc1bae16356b7acf

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks