General
-
Target
JaffaCakes118_30cb004eae1bdb1d9613d1586c363bef8d1c4f3fc926812d2de2ec6325707367
-
Size
1.3MB
-
Sample
241230-cgl9jatqds
-
MD5
9d6a6c835223becab287987d7c1aae59
-
SHA1
f2428e81d4d2a67fb5de23ca65a45254a0e6acc8
-
SHA256
30cb004eae1bdb1d9613d1586c363bef8d1c4f3fc926812d2de2ec6325707367
-
SHA512
bfc8861b5b4cdc2facca5b0564bd7a07ed827b6b0d1584c31036e59254d48b51bc6d9ed21183895f902d77e7bb5e57692ba645ed6d95cea67709e6e0722fd1ff
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Behavioral task
behavioral1
Sample
JaffaCakes118_30cb004eae1bdb1d9613d1586c363bef8d1c4f3fc926812d2de2ec6325707367.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_30cb004eae1bdb1d9613d1586c363bef8d1c4f3fc926812d2de2ec6325707367.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
JaffaCakes118_30cb004eae1bdb1d9613d1586c363bef8d1c4f3fc926812d2de2ec6325707367
-
Size
1.3MB
-
MD5
9d6a6c835223becab287987d7c1aae59
-
SHA1
f2428e81d4d2a67fb5de23ca65a45254a0e6acc8
-
SHA256
30cb004eae1bdb1d9613d1586c363bef8d1c4f3fc926812d2de2ec6325707367
-
SHA512
bfc8861b5b4cdc2facca5b0564bd7a07ed827b6b0d1584c31036e59254d48b51bc6d9ed21183895f902d77e7bb5e57692ba645ed6d95cea67709e6e0722fd1ff
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-