Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:17
Behavioral task
behavioral1
Sample
JaffaCakes118_f45ea312f758d397ca56081095a26f746c30d12ea7ce1a2ade8c6b9a818b3a5a.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f45ea312f758d397ca56081095a26f746c30d12ea7ce1a2ade8c6b9a818b3a5a.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_f45ea312f758d397ca56081095a26f746c30d12ea7ce1a2ade8c6b9a818b3a5a.exe
-
Size
1.3MB
-
MD5
fae8ca0cccd6610616b2a77255b8c6a2
-
SHA1
3782da47a80bd8e3663e845f51640787623adadf
-
SHA256
f45ea312f758d397ca56081095a26f746c30d12ea7ce1a2ade8c6b9a818b3a5a
-
SHA512
addd9198fc7dfdb69aa867b3cb474775d4e0eded55d398ab52dfad669433fd3d1f685da8923683ecd6eda9e7d1f85db2e44b22c905578c7298780b3efe41ac89
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1888 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 660 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1268 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 272 2892 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000016d4e-9.dat dcrat behavioral1/memory/2172-13-0x0000000001070000-0x0000000001180000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1404 powershell.exe 2944 powershell.exe 1656 powershell.exe 2808 powershell.exe 1860 powershell.exe 856 powershell.exe 1176 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 2172 DllCommonsvc.exe 1640 DllCommonsvc.exe -
Loads dropped DLL 2 IoCs
pid Process 2196 cmd.exe 2196 cmd.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows Journal\en-US\explorer.exe DllCommonsvc.exe File created C:\Program Files\Windows Journal\en-US\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\en-US\sppsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\en-US\0a1fd5f707cd16 DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\schemas\EAPMethods\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\diagnostics\scheduled\lsass.exe DllCommonsvc.exe File created C:\Windows\tracing\conhost.exe DllCommonsvc.exe File created C:\Windows\tracing\088424020bedd6 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f45ea312f758d397ca56081095a26f746c30d12ea7ce1a2ade8c6b9a818b3a5a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1972 schtasks.exe 2140 schtasks.exe 272 schtasks.exe 2720 schtasks.exe 2748 schtasks.exe 2660 schtasks.exe 2776 schtasks.exe 1268 schtasks.exe 2604 schtasks.exe 2832 schtasks.exe 2680 schtasks.exe 2752 schtasks.exe 1888 schtasks.exe 660 schtasks.exe 2692 schtasks.exe 2872 schtasks.exe 2148 schtasks.exe 2664 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2172 DllCommonsvc.exe 2172 DllCommonsvc.exe 2172 DllCommonsvc.exe 1404 powershell.exe 2944 powershell.exe 2808 powershell.exe 1860 powershell.exe 856 powershell.exe 1176 powershell.exe 1656 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2172 DllCommonsvc.exe Token: SeDebugPrivilege 1404 powershell.exe Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 1860 powershell.exe Token: SeDebugPrivilege 856 powershell.exe Token: SeDebugPrivilege 1176 powershell.exe Token: SeDebugPrivilege 1640 DllCommonsvc.exe Token: SeDebugPrivilege 1656 powershell.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2000 2500 JaffaCakes118_f45ea312f758d397ca56081095a26f746c30d12ea7ce1a2ade8c6b9a818b3a5a.exe 30 PID 2500 wrote to memory of 2000 2500 JaffaCakes118_f45ea312f758d397ca56081095a26f746c30d12ea7ce1a2ade8c6b9a818b3a5a.exe 30 PID 2500 wrote to memory of 2000 2500 JaffaCakes118_f45ea312f758d397ca56081095a26f746c30d12ea7ce1a2ade8c6b9a818b3a5a.exe 30 PID 2500 wrote to memory of 2000 2500 JaffaCakes118_f45ea312f758d397ca56081095a26f746c30d12ea7ce1a2ade8c6b9a818b3a5a.exe 30 PID 2000 wrote to memory of 2196 2000 WScript.exe 31 PID 2000 wrote to memory of 2196 2000 WScript.exe 31 PID 2000 wrote to memory of 2196 2000 WScript.exe 31 PID 2000 wrote to memory of 2196 2000 WScript.exe 31 PID 2196 wrote to memory of 2172 2196 cmd.exe 33 PID 2196 wrote to memory of 2172 2196 cmd.exe 33 PID 2196 wrote to memory of 2172 2196 cmd.exe 33 PID 2196 wrote to memory of 2172 2196 cmd.exe 33 PID 2172 wrote to memory of 2944 2172 DllCommonsvc.exe 53 PID 2172 wrote to memory of 2944 2172 DllCommonsvc.exe 53 PID 2172 wrote to memory of 2944 2172 DllCommonsvc.exe 53 PID 2172 wrote to memory of 2808 2172 DllCommonsvc.exe 54 PID 2172 wrote to memory of 2808 2172 DllCommonsvc.exe 54 PID 2172 wrote to memory of 2808 2172 DllCommonsvc.exe 54 PID 2172 wrote to memory of 1656 2172 DllCommonsvc.exe 55 PID 2172 wrote to memory of 1656 2172 DllCommonsvc.exe 55 PID 2172 wrote to memory of 1656 2172 DllCommonsvc.exe 55 PID 2172 wrote to memory of 1404 2172 DllCommonsvc.exe 58 PID 2172 wrote to memory of 1404 2172 DllCommonsvc.exe 58 PID 2172 wrote to memory of 1404 2172 DllCommonsvc.exe 58 PID 2172 wrote to memory of 1860 2172 DllCommonsvc.exe 59 PID 2172 wrote to memory of 1860 2172 DllCommonsvc.exe 59 PID 2172 wrote to memory of 1860 2172 DllCommonsvc.exe 59 PID 2172 wrote to memory of 1176 2172 DllCommonsvc.exe 60 PID 2172 wrote to memory of 1176 2172 DllCommonsvc.exe 60 PID 2172 wrote to memory of 1176 2172 DllCommonsvc.exe 60 PID 2172 wrote to memory of 856 2172 DllCommonsvc.exe 61 PID 2172 wrote to memory of 856 2172 DllCommonsvc.exe 61 PID 2172 wrote to memory of 856 2172 DllCommonsvc.exe 61 PID 2172 wrote to memory of 1640 2172 DllCommonsvc.exe 67 PID 2172 wrote to memory of 1640 2172 DllCommonsvc.exe 67 PID 2172 wrote to memory of 1640 2172 DllCommonsvc.exe 67 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f45ea312f758d397ca56081095a26f746c30d12ea7ce1a2ade8c6b9a818b3a5a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f45ea312f758d397ca56081095a26f746c30d12ea7ce1a2ade8c6b9a818b3a5a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\en-US\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\en-US\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\en-US\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\en-US\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Application Data\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\tracing\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD596cb525691e5c5c57e1cfdf780c4e37a
SHA1d371743b44aee00606ca5d1c0ca1d0529fe24031
SHA256d461ae7a26ad9fc75efd72423897c8ee0fd75f429e73ffd49577fdd212cf999f
SHA5122bc216027a782ef527921c59780188f20104a1f60bfced237825878943e772079bde6e328f4572c4750a3aea6ccd6f1940e11c00e52f2697bbe345c40e355f4e
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394