General

  • Target

    JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3

  • Size

    1.3MB

  • Sample

    241230-cz3dgavmfy

  • MD5

    10a72cdc2e7f57dd910b5033810f0d65

  • SHA1

    dc1502dadabf56e71112f3af091d65aba18bf918

  • SHA256

    71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3

  • SHA512

    2d9297dfe277f91cc7d6ce8afe0ae201303a5c69b5d48b43f9cc4d94c83efce48c001ef293ab3f7a6450c222219f565843a2b25eaee6bd8d79ac43a53cb37814

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      JaffaCakes118_71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3

    • Size

      1.3MB

    • MD5

      10a72cdc2e7f57dd910b5033810f0d65

    • SHA1

      dc1502dadabf56e71112f3af091d65aba18bf918

    • SHA256

      71f09cd837628dea19f731b255aa669853a37c378192429d86d71bbd554bd0a3

    • SHA512

      2d9297dfe277f91cc7d6ce8afe0ae201303a5c69b5d48b43f9cc4d94c83efce48c001ef293ab3f7a6450c222219f565843a2b25eaee6bd8d79ac43a53cb37814

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks