General

  • Target

    JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75

  • Size

    1.3MB

  • Sample

    241222-g11ngsxmdl

  • MD5

    ad134c9d0e2b1cbf8287bbfaba5c476f

  • SHA1

    6a4710a002517b0a048059f7172c575c22292991

  • SHA256

    31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75

  • SHA512

    e4033d9e0d2b1ae8ac083f806e0d6156c384c40d8c1eaedf58b9b838a763a1421476bdd3795381b68a77c728ba2b36b010130b710542752baf71db032f5b2a84

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      JaffaCakes118_31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75

    • Size

      1.3MB

    • MD5

      ad134c9d0e2b1cbf8287bbfaba5c476f

    • SHA1

      6a4710a002517b0a048059f7172c575c22292991

    • SHA256

      31b9116701861663524d4850eeb6f1c856363b7263fcf27566983a789aa51a75

    • SHA512

      e4033d9e0d2b1ae8ac083f806e0d6156c384c40d8c1eaedf58b9b838a763a1421476bdd3795381b68a77c728ba2b36b010130b710542752baf71db032f5b2a84

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks