General
-
Target
JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75
-
Size
1.3MB
-
Sample
241222-g11ngsxmdl
-
MD5
ad134c9d0e2b1cbf8287bbfaba5c476f
-
SHA1
6a4710a002517b0a048059f7172c575c22292991
-
SHA256
31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75
-
SHA512
e4033d9e0d2b1ae8ac083f806e0d6156c384c40d8c1eaedf58b9b838a763a1421476bdd3795381b68a77c728ba2b36b010130b710542752baf71db032f5b2a84
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Behavioral task
behavioral1
Sample
JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75
-
Size
1.3MB
-
MD5
ad134c9d0e2b1cbf8287bbfaba5c476f
-
SHA1
6a4710a002517b0a048059f7172c575c22292991
-
SHA256
31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75
-
SHA512
e4033d9e0d2b1ae8ac083f806e0d6156c384c40d8c1eaedf58b9b838a763a1421476bdd3795381b68a77c728ba2b36b010130b710542752baf71db032f5b2a84
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-