General

  • Target

    JaffaCakes118_6c639212b290b06dd4a17dc0d8540292a4d2b31acf9fd84aa612ef8fbbec3011

  • Size

    1.3MB

  • Sample

    241222-apfevawkbq

  • MD5

    592cc1595f4e19a6a2bae27b6d128513

  • SHA1

    ea7c83185773bad7e733771e990a8dea375e25c5

  • SHA256

    6c639212b290b06dd4a17dc0d8540292a4d2b31acf9fd84aa612ef8fbbec3011

  • SHA512

    d55b822a0cb82bf06a61380b96708d1f08d0864e7b17a77eb3db743806532868f5e0c917e05e820f282e955e2d71285c6e3a185fb374c2cf3b4e7b4d58f1e516

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      JaffaCakes118_6c639212b290b06dd4a17dc0d8540292a4d2b31acf9fd84aa612ef8fbbec3011

    • Size

      1.3MB

    • MD5

      592cc1595f4e19a6a2bae27b6d128513

    • SHA1

      ea7c83185773bad7e733771e990a8dea375e25c5

    • SHA256

      6c639212b290b06dd4a17dc0d8540292a4d2b31acf9fd84aa612ef8fbbec3011

    • SHA512

      d55b822a0cb82bf06a61380b96708d1f08d0864e7b17a77eb3db743806532868f5e0c917e05e820f282e955e2d71285c6e3a185fb374c2cf3b4e7b4d58f1e516

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks