General

  • Target

    JaffaCakes118_928f0eac6a7f4e9afacbcba0a8e13c7a7a6ab1e376cc0a4e82a563a21b29e7b5

  • Size

    1.3MB

  • Sample

    241222-gtrf8sxkeq

  • MD5

    bb9fde841f13265ed7cb346dea6599ed

  • SHA1

    8722e36a8ad766f9bd996abade0af69f6668817f

  • SHA256

    928f0eac6a7f4e9afacbcba0a8e13c7a7a6ab1e376cc0a4e82a563a21b29e7b5

  • SHA512

    fad665902515da0fa1291f432d569630bffd830b1b345717c6fb17de4ed27b9175ce57875dd7889457ec7c68bf39231510b6440504a60bd9c5a02f3fcb67300f

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      JaffaCakes118_928f0eac6a7f4e9afacbcba0a8e13c7a7a6ab1e376cc0a4e82a563a21b29e7b5

    • Size

      1.3MB

    • MD5

      bb9fde841f13265ed7cb346dea6599ed

    • SHA1

      8722e36a8ad766f9bd996abade0af69f6668817f

    • SHA256

      928f0eac6a7f4e9afacbcba0a8e13c7a7a6ab1e376cc0a4e82a563a21b29e7b5

    • SHA512

      fad665902515da0fa1291f432d569630bffd830b1b345717c6fb17de4ed27b9175ce57875dd7889457ec7c68bf39231510b6440504a60bd9c5a02f3fcb67300f

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks