General

  • Target

    JaffaCakes118_226cee52d6d8350bdf6e3c8dbc3d0620ec5c5f0c6a265d2c29463feb28fb23d8

  • Size

    1.3MB

  • Sample

    241222-ahzvxavrar

  • MD5

    836f1e0b35ad6745a2dca977ea5260e9

  • SHA1

    3d34269b1f44d5472699d8c6ff4e1cb9668a266e

  • SHA256

    226cee52d6d8350bdf6e3c8dbc3d0620ec5c5f0c6a265d2c29463feb28fb23d8

  • SHA512

    2be74ac48c3b554aa11d3fcf95e4ba4963b7f5cfda0f3ecc60240ba78c777455c753fb6cc49eda625c8a501079b935bafdfe72745925d4af95c6a701601690f2

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      JaffaCakes118_226cee52d6d8350bdf6e3c8dbc3d0620ec5c5f0c6a265d2c29463feb28fb23d8

    • Size

      1.3MB

    • MD5

      836f1e0b35ad6745a2dca977ea5260e9

    • SHA1

      3d34269b1f44d5472699d8c6ff4e1cb9668a266e

    • SHA256

      226cee52d6d8350bdf6e3c8dbc3d0620ec5c5f0c6a265d2c29463feb28fb23d8

    • SHA512

      2be74ac48c3b554aa11d3fcf95e4ba4963b7f5cfda0f3ecc60240ba78c777455c753fb6cc49eda625c8a501079b935bafdfe72745925d4af95c6a701601690f2

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks