Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
22-12-2024 10:22
General
-
Target
JaffaCakes118_8cbcd4445df0e4d3cc8337b4afe830acba8d2dd504bd26693d3d8f9c211c1097.exe
-
Size
1.3MB
-
MD5
0d38d63d062fe0a5f3a25a2914f01754
-
SHA1
ed16a9e5c7321a8b70e735bdad54818394f3c185
-
SHA256
8cbcd4445df0e4d3cc8337b4afe830acba8d2dd504bd26693d3d8f9c211c1097
-
SHA512
7adb84889917ea71bcd01fcd8e56a05419a212d784b92352fe287ccadf24a041bddb80ed57803e4b642a6947b46c1b6857d28afbb3d45fa76796b87e3c4c31f0
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 6 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8cbcd4445df0e4d3cc8337b4afe830acba8d2dd504bd26693d3d8f9c211c1097.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8cbcd4445df0e4d3cc8337b4afe830acba8d2dd504bd26693d3d8f9c211c1097.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat"10⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat"12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat"16⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"18⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat"20⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Cursors\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5d4f593ef5d1852aacfd0b92c809098dd
SHA1c76f2b0ef6c189dff6ce0ec38c4461575f92ac15
SHA2564418e93ef0185b5abcc08be3ae8eb9b9b80f5e952f3d21a91fa7b43104f3b037
SHA512f73e451dc8a536e4a665347038bb94e2b78ab102d537aecbbbb4c0cd0ed0d5d70437f76a5ac39bf2e2367e486087c35ade52d66624df7745b5fe6955ce097c99
-
Filesize
342B
MD504ee1c2109e0e66fe3270a41f7afbed2
SHA10eed96767416c5184bf7c331224eb911c934255c
SHA2569c9dfd8922e059182c2a6021d780b899599a8492a51f8910ec05c897b3e50b98
SHA512f3f151dc09bc08e8abe4c777e82f2b133690d340eb7f09ca51fcff9e4bb0e0928b8e8e68da79fa065a3d59e16d61590e93361600cc51aed8d07be9c0b961df55
-
Filesize
342B
MD5c84f9cf8df957eac3115b7ad580fa7e1
SHA1cb73a3e69e767aee68ec5d3cfe0fa53d19cc39e5
SHA2566e3b7926c14804233de754de67c78e0b13a1c38a6c2f2046ef1a44ae54bb7d70
SHA512a4fbf05e65a533f5335091d628dc850642af840ed8f3a610d2674ded67e71832ffb1bc2fe9de1a3359850108f5de25ae3c4a743c412943c6292ffb067fbeab7c
-
Filesize
342B
MD523f9a58077ac761013d7eb0f56b1b1e0
SHA169aa72d9745b224afeaf2bdb94f7a8dff44196cc
SHA256d71632eb471d35b2959f2e2d19dacfb11355f8f47ab891c4a4eae0d87122fe25
SHA512bd5c950dfe37c9e30e16ad01ecd1584196c447e1a26ab56efbb59509943e369a0e71c054c2f52ea32f6fa43602b0b9ed7842e5f408be95882ebc40e24fd49bf9
-
Filesize
342B
MD533fd1160f1ddcb422738aadb56f11121
SHA14cb862b20d87ff396ccdb9aaa1e56aec0a5e935a
SHA25662c131df9dcc2b9add0f0b368b6276549e0770dabd30f79a0a048e4964f3dd3f
SHA5124b60d919dac0d1cda2d6be22178624070007af88888905e36ec2cd8ace3177382dd44cb4f35f629d0771476f6a0373f86c2c537f63a80e93226c26413fa5b116
-
Filesize
342B
MD5df92009bc138d72239b7bb0d88291081
SHA104ce704c400172126899160af24c91ba2da3dcd7
SHA256bb49ee6fa2450a8a4423d7a9760a6d108669483e0a4e7abeea99210bcf719e8a
SHA512a4d080a72452df185b32388a1a973e4f71784bc5bef4338582d5e128cf2e457d96870d4cc01b5783f63ef0851900e70ccb7f71422fa60da3bd44c7be92988336
-
Filesize
342B
MD5b9d71a13abd5575af05a764327cb4ddb
SHA15ee094764fe9d8e3301a95e79b51c72f39a872a2
SHA2568a8e3a752c49b04d6fdbdca928319b5b73e4fdb25c56dc66e25922a32d73039e
SHA512d981ad2762c7871a4df3dbc783572bb8c5fa1b4271447f84471d092f2f40ece42b42012aa512c7de96b8aab1f0083e4d6a30f92ec6dbecb328f27d581585eb48
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
236B
MD5b11cd770b3fd89aadca4998ada335c15
SHA1ed45c2b732ca310eb06b0efc6fe10ae0300b096d
SHA256170ec54928f8c122689ab446d3b3e6a1c1f9eb82516c5ae8cbf904a709d5ff29
SHA5126e8f274420a833a68df1338e75ce5d3550984b18325d5523db1c5431ab664b53895bcdd3567cca5d68c81d1564858c39cb069b348e56832786a279989b00ffc7
-
Filesize
236B
MD52c8c97c515145ef0f65d0d099437609f
SHA1314cf416638b2b5747da1950d408526b09d514a1
SHA256554631728d18deb6f9721733b10bd71ce9bf76c3fd12298c0681796aa1d0ffc3
SHA512f316fd218c049aa93e68ac0d2cf558c1c2a7d5bac2c3d2aa208dcde070842deb9da8ea66201811688804e5188dcbc61096b10d3c845a87c84374fbc0ea8a48d5
-
Filesize
236B
MD550214755ad5b18d24690400f9049eaf0
SHA10ae9728e78f6b98a0198eb6b090049c15aa93e04
SHA2563763ae492ad188147d0416ee6a788f7df649d108b76c98a4b9d76e0ac238e14f
SHA512476eef8936bc016a081d32eaaa4d9152540ff2fe3109a1246f92ba0226047ee67794307b2f8246d3d65e81c96c0d7adbb2fc19897448e42bf10d96e42f82deca
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
236B
MD5e0d9bad1598c41726e0fad28e4fc1d6c
SHA12e2de1ed3c864499d03cec7824575ad235494ff8
SHA256e99f0eb8bc5248c0c6961945b6ba58ffacbe555f2878997bb2422e9e76259316
SHA51218eef325ceb6c14f8047612079a3b0e16f4322390be7f14c9d89cdf427cc6b8a669917c6b0fe66883b669c58a45a78591d8b602cc2b783767fd57a2549c54e73
-
Filesize
236B
MD58b3e379bccea2ddbbfcc3c0a7f6472fd
SHA1496ad73a4c9e2236af7c33bafa96d8713a1c880e
SHA2568c7dc0895755d46517f16eac06b61181ade25209c34965ef3f2eeaffad005840
SHA512672164c570d4d45ac09643bdbc622b0271ff4e732a9ce640121af1aca649c1a823eb236d974dc705bf67855782ff75454614f5b93c2defb1b01d8a72e0482d1c
-
Filesize
236B
MD50eeddb153476775fa0754bfdc39ce2bf
SHA1cf60b4b9ec57d4f969f07aa6858fd52150784971
SHA256597d753ba9995c100ac7bd67e62e69686b742dad6f1b07c4b91a8e3d2b605723
SHA51260126b981d088c44bdbbe54f92f47bd8af7a9f8fd94e1dbd21cfce042189eab570da6dd9ee1e65aeaa3d58b7c0ac8a97970352f96c1b0b2e92ed2f14792bda4e
-
Filesize
236B
MD51e7a5afe69817e7887ca94a9009c38ed
SHA10b7010f466229cb2cc797ef69e4ca8fdb845cfdc
SHA2564e1738eac73b51d3d4f565fd107ffc953b9ad53d28e819111be03c62c231330b
SHA5121ef49c16ffd21d21d3e538c253959b4c5d3b21e5b4a9b502f12714493bd74cf17a7878073fd2d3a032a03b1a568ab0f6a4432bff707af3308212fc9e5ae66104
-
Filesize
236B
MD5bd29f23af38b8f6fe78c4fd8dea6d8de
SHA1c875fc08c7b49145e8c1bab3dcab052b5ce7b73a
SHA256963120d2b4834926d14f4e50a313731eca9b152245e4dc960d622b5f2fdc7b1c
SHA512892e25fe2dd9e341b7014e643d127e1e0460c50b82c76f5e951146f27b621af3a8d9b18276f79d0f788cd75aca92c9890826f0f4c01bc43a8e8b1cb9b71e62a6
-
Filesize
7KB
MD5b64251a694be01ced31c3d50a08522ec
SHA1fe364a9a207119207ae21f10d784c6d8e2c9a09a
SHA25636ab9f7a5276f68b9dc4bcdb51c00f23780c0a631ce826981920cdcdb48a5c47
SHA512eeef95e586791985d4abba28c32c5ec5c621d21a4d8c926abcd3524301df3c08c6f9de67a5ab99545e6f85ebf7107ee224937ed12f4e10229c8e27e877e47c96
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
2.9MB
-
Filesize
32KB