General

  • Target

    JaffaCakes118_30cb004eae1bdb1d9613d1586c363bef8d1c4f3fc926812d2de2ec6325707367

  • Size

    1.3MB

  • Sample

    241230-cgl9jatqds

  • MD5

    9d6a6c835223becab287987d7c1aae59

  • SHA1

    f2428e81d4d2a67fb5de23ca65a45254a0e6acc8

  • SHA256

    30cb004eae1bdb1d9613d1586c363bef8d1c4f3fc926812d2de2ec6325707367

  • SHA512

    bfc8861b5b4cdc2facca5b0564bd7a07ed827b6b0d1584c31036e59254d48b51bc6d9ed21183895f902d77e7bb5e57692ba645ed6d95cea67709e6e0722fd1ff

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      JaffaCakes118_30cb004eae1bdb1d9613d1586c363bef8d1c4f3fc926812d2de2ec6325707367

    • Size

      1.3MB

    • MD5

      9d6a6c835223becab287987d7c1aae59

    • SHA1

      f2428e81d4d2a67fb5de23ca65a45254a0e6acc8

    • SHA256

      30cb004eae1bdb1d9613d1586c363bef8d1c4f3fc926812d2de2ec6325707367

    • SHA512

      bfc8861b5b4cdc2facca5b0564bd7a07ed827b6b0d1584c31036e59254d48b51bc6d9ed21183895f902d77e7bb5e57692ba645ed6d95cea67709e6e0722fd1ff

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks