General

  • Target

    JaffaCakes118_e13045e2ede48adef296c9b7383446cc7a0ec12a148bae546c1b2cdb8db0d553

  • Size

    1.3MB

  • Sample

    241230-dex4pawkgt

  • MD5

    ab3a2bcc929908546028a233349561a3

  • SHA1

    a545a1c922a0624f5c7168debb309bb32f7221fd

  • SHA256

    e13045e2ede48adef296c9b7383446cc7a0ec12a148bae546c1b2cdb8db0d553

  • SHA512

    233ab5bfdac8fa6e589c394715b1b187f8a1c8cb5cde14fad4c387fa8de230f697473aa29a22c2d9fc8592ad31337dfa9dd0bf643bce230cbf8073613416959f

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      JaffaCakes118_e13045e2ede48adef296c9b7383446cc7a0ec12a148bae546c1b2cdb8db0d553

    • Size

      1.3MB

    • MD5

      ab3a2bcc929908546028a233349561a3

    • SHA1

      a545a1c922a0624f5c7168debb309bb32f7221fd

    • SHA256

      e13045e2ede48adef296c9b7383446cc7a0ec12a148bae546c1b2cdb8db0d553

    • SHA512

      233ab5bfdac8fa6e589c394715b1b187f8a1c8cb5cde14fad4c387fa8de230f697473aa29a22c2d9fc8592ad31337dfa9dd0bf643bce230cbf8073613416959f

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks