General

  • Target

    JaffaCakes118_ed183a62f716f18eabceaa76b4be07b0964a15b90fd17a44342631ac85e521ee

  • Size

    1.3MB

  • Sample

    241222-g5e8caxnen

  • MD5

    1d0f92131d446bb757559c0715a0116e

  • SHA1

    22abe0fe9aa3091f852c19e4de0b570bc63a6aa5

  • SHA256

    ed183a62f716f18eabceaa76b4be07b0964a15b90fd17a44342631ac85e521ee

  • SHA512

    31b428acc3d01a47b31c21775c956a4aeafd2ce555c26ac950e8a928815002d2597a8caa9c116f2fad389042d8537344ce57a93cce67e7a5b8774b4600e35e43

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      JaffaCakes118_ed183a62f716f18eabceaa76b4be07b0964a15b90fd17a44342631ac85e521ee

    • Size

      1.3MB

    • MD5

      1d0f92131d446bb757559c0715a0116e

    • SHA1

      22abe0fe9aa3091f852c19e4de0b570bc63a6aa5

    • SHA256

      ed183a62f716f18eabceaa76b4be07b0964a15b90fd17a44342631ac85e521ee

    • SHA512

      31b428acc3d01a47b31c21775c956a4aeafd2ce555c26ac950e8a928815002d2597a8caa9c116f2fad389042d8537344ce57a93cce67e7a5b8774b4600e35e43

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks