General
-
Target
JaffaCakes118_11b3dd0b51c12737f20d7021d7043fe68b2d4f8cb44b1f240139e34d88bca074
-
Size
1.3MB
-
Sample
241222-g9cb9axphm
-
MD5
056df0ec8811d5cb0d9636e72c69b7f4
-
SHA1
f1954a8cbbc6401833cbb7e03b96bdc00151da49
-
SHA256
11b3dd0b51c12737f20d7021d7043fe68b2d4f8cb44b1f240139e34d88bca074
-
SHA512
c1af2b7bd482ef3e2f429a7a0ea3424e8ed55cfd2b6d5550d213c22f52180323acd7a38fe94e0f637802514560e2b5e99a15c6fed46c3f61209bfecf2f690d46
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Behavioral task
behavioral1
Sample
JaffaCakes118_11b3dd0b51c12737f20d7021d7043fe68b2d4f8cb44b1f240139e34d88bca074.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_11b3dd0b51c12737f20d7021d7043fe68b2d4f8cb44b1f240139e34d88bca074.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
JaffaCakes118_11b3dd0b51c12737f20d7021d7043fe68b2d4f8cb44b1f240139e34d88bca074
-
Size
1.3MB
-
MD5
056df0ec8811d5cb0d9636e72c69b7f4
-
SHA1
f1954a8cbbc6401833cbb7e03b96bdc00151da49
-
SHA256
11b3dd0b51c12737f20d7021d7043fe68b2d4f8cb44b1f240139e34d88bca074
-
SHA512
c1af2b7bd482ef3e2f429a7a0ea3424e8ed55cfd2b6d5550d213c22f52180323acd7a38fe94e0f637802514560e2b5e99a15c6fed46c3f61209bfecf2f690d46
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-