General

  • Target

    JaffaCakes118_fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b

  • Size

    1.3MB

  • Sample

    241230-daa4csvrez

  • MD5

    97348f7f3bf9e023917bcc8ec55c284f

  • SHA1

    d505442ec9c9ec60005c0a9c02913164dadf1562

  • SHA256

    fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b

  • SHA512

    9cb5a108ccb51fb8a1b215a59dc08030eaee6a7d45c490843455b9effcd319fc27746b2bc104d1ca99d91689ead96edfebb6c6f4150529e420846c0811da5f44

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      JaffaCakes118_fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b

    • Size

      1.3MB

    • MD5

      97348f7f3bf9e023917bcc8ec55c284f

    • SHA1

      d505442ec9c9ec60005c0a9c02913164dadf1562

    • SHA256

      fd08c5fd4d26d8e2fd0415fc25e954346e6b50b1eb20886d7c1943b06e2df29b

    • SHA512

      9cb5a108ccb51fb8a1b215a59dc08030eaee6a7d45c490843455b9effcd319fc27746b2bc104d1ca99d91689ead96edfebb6c6f4150529e420846c0811da5f44

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks