General
-
Target
JaffaCakes118_a057485437bc2d1c5b2282efbc8f2ede43d1d5cab693cdc623e036339f3145e2
-
Size
1.3MB
-
Sample
241222-fh358atrcy
-
MD5
6e169276de0bd403f38cf6da35955372
-
SHA1
07e024b7a0696eee9bafe888f4a92ee50e1c73ce
-
SHA256
a057485437bc2d1c5b2282efbc8f2ede43d1d5cab693cdc623e036339f3145e2
-
SHA512
554150a3a699ae272179d8597ec00848a84b87add0b8b28f539279e347969795cd8d79d8f44bb0aa409625192e9e5ef06369752691c8b2bbc021005a1cbab476
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Targets
-
-
Target
JaffaCakes118_a057485437bc2d1c5b2282efbc8f2ede43d1d5cab693cdc623e036339f3145e2
-
Size
1.3MB
-
MD5
6e169276de0bd403f38cf6da35955372
-
SHA1
07e024b7a0696eee9bafe888f4a92ee50e1c73ce
-
SHA256
a057485437bc2d1c5b2282efbc8f2ede43d1d5cab693cdc623e036339f3145e2
-
SHA512
554150a3a699ae272179d8597ec00848a84b87add0b8b28f539279e347969795cd8d79d8f44bb0aa409625192e9e5ef06369752691c8b2bbc021005a1cbab476
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-