General
-
Target
JaffaCakes118_3181e596ca08f87a70eeb4af5ab48024ec36883ee5276f7361a7baf4baef76bd
-
Size
1.3MB
-
Sample
241221-zmtxwszkem
-
MD5
16eb639d9ea9e844397145e90edddc6d
-
SHA1
299c16d93a83de9d71abd940a2df02b693e0e041
-
SHA256
3181e596ca08f87a70eeb4af5ab48024ec36883ee5276f7361a7baf4baef76bd
-
SHA512
b817aef60479bb551a5d45bab9d24facd359bf2839b21afd295d4e7f504e8f4a9ed68db43ba346e1df4c57c129738a00be7c9dc7148a1e8b7e99f9561756fb94
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Targets
-
-
Target
JaffaCakes118_3181e596ca08f87a70eeb4af5ab48024ec36883ee5276f7361a7baf4baef76bd
-
Size
1.3MB
-
MD5
16eb639d9ea9e844397145e90edddc6d
-
SHA1
299c16d93a83de9d71abd940a2df02b693e0e041
-
SHA256
3181e596ca08f87a70eeb4af5ab48024ec36883ee5276f7361a7baf4baef76bd
-
SHA512
b817aef60479bb551a5d45bab9d24facd359bf2839b21afd295d4e7f504e8f4a9ed68db43ba346e1df4c57c129738a00be7c9dc7148a1e8b7e99f9561756fb94
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-