General
-
Target
JaffaCakes118_c4e9853e5faf46937bc9dde2370d892b35bc6938f07a24fdceaa0b97c6bd943d
-
Size
1.3MB
-
Sample
241230-dw8lrawpfz
-
MD5
72d4cf356eb03f0b7d5e25a93d0b3f98
-
SHA1
de3c4938273fbcd229ddcfb864bd9d27367cc5df
-
SHA256
c4e9853e5faf46937bc9dde2370d892b35bc6938f07a24fdceaa0b97c6bd943d
-
SHA512
df5eef9f4b74e0384436bd02ae35ddd5611c8ad708e14a74bcd8e7d76f440f2cf065ff5d8a8b2cb675f4d840c70122c7d6acb66ea8181f51b0d0dcce399b3d6c
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Behavioral task
behavioral1
Sample
JaffaCakes118_c4e9853e5faf46937bc9dde2370d892b35bc6938f07a24fdceaa0b97c6bd943d.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c4e9853e5faf46937bc9dde2370d892b35bc6938f07a24fdceaa0b97c6bd943d.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
JaffaCakes118_c4e9853e5faf46937bc9dde2370d892b35bc6938f07a24fdceaa0b97c6bd943d
-
Size
1.3MB
-
MD5
72d4cf356eb03f0b7d5e25a93d0b3f98
-
SHA1
de3c4938273fbcd229ddcfb864bd9d27367cc5df
-
SHA256
c4e9853e5faf46937bc9dde2370d892b35bc6938f07a24fdceaa0b97c6bd943d
-
SHA512
df5eef9f4b74e0384436bd02ae35ddd5611c8ad708e14a74bcd8e7d76f440f2cf065ff5d8a8b2cb675f4d840c70122c7d6acb66ea8181f51b0d0dcce399b3d6c
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-