General

  • Target

    JaffaCakes118_97ddac2ca25083659a6b63aea3e55527c567ee02195b7b71e0d8feb34f104863

  • Size

    1.3MB

  • Sample

    241222-gphnjawpcw

  • MD5

    41cd0ac129aeb56fc93e9a444cce6aa4

  • SHA1

    9454b07ffdb14fd40787ced5f9f753fb846eeaa2

  • SHA256

    97ddac2ca25083659a6b63aea3e55527c567ee02195b7b71e0d8feb34f104863

  • SHA512

    837266b5406ec59cec82eec94e8bb45ac9ed4843e35f3da01ada78686d1e2b980bc7a896127bcf692a73fa2d077011ffe22c6d65e97a4eb98e5da1efee581f84

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      JaffaCakes118_97ddac2ca25083659a6b63aea3e55527c567ee02195b7b71e0d8feb34f104863

    • Size

      1.3MB

    • MD5

      41cd0ac129aeb56fc93e9a444cce6aa4

    • SHA1

      9454b07ffdb14fd40787ced5f9f753fb846eeaa2

    • SHA256

      97ddac2ca25083659a6b63aea3e55527c567ee02195b7b71e0d8feb34f104863

    • SHA512

      837266b5406ec59cec82eec94e8bb45ac9ed4843e35f3da01ada78686d1e2b980bc7a896127bcf692a73fa2d077011ffe22c6d65e97a4eb98e5da1efee581f84

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks