General

  • Target

    JaffaCakes118_6e453d3ba868825da6a8c05c4bf45eea5f65169952411ce7a5dca47ffea505dc

  • Size

    1.3MB

  • Sample

    241222-gnekgswrem

  • MD5

    2ccbec0d52d71b3a44b1bb2b476a04dd

  • SHA1

    119fc4f2fde76f08afc8f4ee62357d4f46c85146

  • SHA256

    6e453d3ba868825da6a8c05c4bf45eea5f65169952411ce7a5dca47ffea505dc

  • SHA512

    8c37e9958fab698a33b5af9ab6b672495376df1147812963de02f848b545baa8051f0fdf4b3f84cedfac873ae99ed3fb1b315928a015c6151c13ed11461605ee

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      JaffaCakes118_6e453d3ba868825da6a8c05c4bf45eea5f65169952411ce7a5dca47ffea505dc

    • Size

      1.3MB

    • MD5

      2ccbec0d52d71b3a44b1bb2b476a04dd

    • SHA1

      119fc4f2fde76f08afc8f4ee62357d4f46c85146

    • SHA256

      6e453d3ba868825da6a8c05c4bf45eea5f65169952411ce7a5dca47ffea505dc

    • SHA512

      8c37e9958fab698a33b5af9ab6b672495376df1147812963de02f848b545baa8051f0fdf4b3f84cedfac873ae99ed3fb1b315928a015c6151c13ed11461605ee

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks