General

  • Target

    JaffaCakes118_9f88a7063487c02d9e569c7d1512037e02af6c5f87353cca93134d095c191191

  • Size

    1.3MB

  • Sample

    241230-wt3a3avnbs

  • MD5

    5cfac9b57297bfdab00fc4c56a80355b

  • SHA1

    fe96aca63f904448028de060ed1c18c5eb6a52bc

  • SHA256

    9f88a7063487c02d9e569c7d1512037e02af6c5f87353cca93134d095c191191

  • SHA512

    d841f98d5d4de6ba38764786c43f4b4e9256b83757bcdf735903e90afb0bd0ddc0ba96538a300ad212504d196655f70fb980303ae98bd04eacb0f7e3e0ed71de

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Targets

    • Target

      JaffaCakes118_9f88a7063487c02d9e569c7d1512037e02af6c5f87353cca93134d095c191191

    • Size

      1.3MB

    • MD5

      5cfac9b57297bfdab00fc4c56a80355b

    • SHA1

      fe96aca63f904448028de060ed1c18c5eb6a52bc

    • SHA256

      9f88a7063487c02d9e569c7d1512037e02af6c5f87353cca93134d095c191191

    • SHA512

      d841f98d5d4de6ba38764786c43f4b4e9256b83757bcdf735903e90afb0bd0ddc0ba96538a300ad212504d196655f70fb980303ae98bd04eacb0f7e3e0ed71de

    • SSDEEP

      24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks