General

  • Target

    JaffaCakes118_957cd130b3611c55e33c925bf6fbd3b52a0bbefb74291da75c76e1c1bd1c4596

  • Size

    1.3MB

  • Sample

    241230-dz1qbawqfx

  • MD5

    13d2928607f6af36a86e5d04d0710174

  • SHA1

    f5873528c0b8d07e0cf17fdc4f5736e97d140571

  • SHA256

    957cd130b3611c55e33c925bf6fbd3b52a0bbefb74291da75c76e1c1bd1c4596

  • SHA512

    7e8a7b82a5ee8adc6496a95d6d0da7e67c4383efc49135e71ef56bb8c424789bd6a79800977d78221d6bac739f2a17e08fb17addaa4d3b9afda571cde426ad38

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      JaffaCakes118_957cd130b3611c55e33c925bf6fbd3b52a0bbefb74291da75c76e1c1bd1c4596

    • Size

      1.3MB

    • MD5

      13d2928607f6af36a86e5d04d0710174

    • SHA1

      f5873528c0b8d07e0cf17fdc4f5736e97d140571

    • SHA256

      957cd130b3611c55e33c925bf6fbd3b52a0bbefb74291da75c76e1c1bd1c4596

    • SHA512

      7e8a7b82a5ee8adc6496a95d6d0da7e67c4383efc49135e71ef56bb8c424789bd6a79800977d78221d6bac739f2a17e08fb17addaa4d3b9afda571cde426ad38

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks