General
-
Target
JaffaCakes118_6c639212b290b06dd4a17dc0d8540292a4d2b31acf9fd84aa612ef8fbbec3011
-
Size
1.3MB
-
Sample
241222-apfevawkbq
-
MD5
592cc1595f4e19a6a2bae27b6d128513
-
SHA1
ea7c83185773bad7e733771e990a8dea375e25c5
-
SHA256
6c639212b290b06dd4a17dc0d8540292a4d2b31acf9fd84aa612ef8fbbec3011
-
SHA512
d55b822a0cb82bf06a61380b96708d1f08d0864e7b17a77eb3db743806532868f5e0c917e05e820f282e955e2d71285c6e3a185fb374c2cf3b4e7b4d58f1e516
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Behavioral task
behavioral1
Sample
JaffaCakes118_6c639212b290b06dd4a17dc0d8540292a4d2b31acf9fd84aa612ef8fbbec3011.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6c639212b290b06dd4a17dc0d8540292a4d2b31acf9fd84aa612ef8fbbec3011.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
JaffaCakes118_6c639212b290b06dd4a17dc0d8540292a4d2b31acf9fd84aa612ef8fbbec3011
-
Size
1.3MB
-
MD5
592cc1595f4e19a6a2bae27b6d128513
-
SHA1
ea7c83185773bad7e733771e990a8dea375e25c5
-
SHA256
6c639212b290b06dd4a17dc0d8540292a4d2b31acf9fd84aa612ef8fbbec3011
-
SHA512
d55b822a0cb82bf06a61380b96708d1f08d0864e7b17a77eb3db743806532868f5e0c917e05e820f282e955e2d71285c6e3a185fb374c2cf3b4e7b4d58f1e516
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-