General

  • Target

    JaffaCakes118_e1f0f2f5e55c765cdbfc8e3c1253dae71a1e7bfaf2e356f2c88a083fda35fc84

  • Size

    1.3MB

  • Sample

    241230-cklr6strds

  • MD5

    c15e937fb952f8d30752b67a62073bf3

  • SHA1

    0c60be5e4fbceac78315bb97963bc8f1ac738ef9

  • SHA256

    e1f0f2f5e55c765cdbfc8e3c1253dae71a1e7bfaf2e356f2c88a083fda35fc84

  • SHA512

    82ca40ef9fc2d955803cb490fa2e0b42034478f8b78130632dd11d8b61771d1860929b5711c8b7544c4e19f6537ad20c64972d6486138eb3913f94c3eccc613a

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      JaffaCakes118_e1f0f2f5e55c765cdbfc8e3c1253dae71a1e7bfaf2e356f2c88a083fda35fc84

    • Size

      1.3MB

    • MD5

      c15e937fb952f8d30752b67a62073bf3

    • SHA1

      0c60be5e4fbceac78315bb97963bc8f1ac738ef9

    • SHA256

      e1f0f2f5e55c765cdbfc8e3c1253dae71a1e7bfaf2e356f2c88a083fda35fc84

    • SHA512

      82ca40ef9fc2d955803cb490fa2e0b42034478f8b78130632dd11d8b61771d1860929b5711c8b7544c4e19f6537ad20c64972d6486138eb3913f94c3eccc613a

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks