dcrat | 6ab8569493f8b26107d701117956341d4b880ffa0d5e5e498380e9e21fad6ca4

General

Target

JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe
Size

911KB
MD5

056f58dfd4dbd2472994437d57da6515
SHA1

b25732eeed9b92fa7c41e4d5f624e543841fb889
SHA256

6ab8569493f8b26107d701117956341d4b880ffa0d5e5e498380e9e21fad6ca4
SHA512

1d2f09ad6b752ab5d18797ebbc22991e04a3df27e3dce85f31446690c595b6550cd9db6ec69aaa57b307e36d3f1f247fb37bdfa9fb76496a3fa5e76423e7e1d3
SSDEEP

12288:lcz/RVjOGM6ToNFDsf2CXtq9ackJ74jpDDpXvjLaACqn4:lcTvrMVYNXg9r2MNpXvjuH+4

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2284	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2284	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2284	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2284	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2284	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2284	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2568-1-0x0000000000C50000-0x0000000000D3A000-memory.dmp	dcrat
behavioral1/files/0x000500000001a489-11.dat	dcrat
behavioral1/memory/2684-23-0x0000000000B30000-0x0000000000C1A000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2684	lsass.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\""	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI\\OSPPSVC.exe\""	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Setup\\State\\lsass.exe\""	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\dwm.exe\""	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\cscobj\\lsass.exe\""	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\api-ms-win-crt-stdio-l1-1-0\\dwm.exe\""	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\cscobj\lsass.exe	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe
File created	C:\Windows\System32\cscobj\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe
File created	C:\Windows\System32\api-ms-win-crt-stdio-l1-1-0\dwm.exe	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe
File created	C:\Windows\System32\api-ms-win-crt-stdio-l1-1-0\6cb0b6c459d5d3455a3da700e713f2e2529862ff	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe
File created	C:\Windows\System32\cscobj\lsass.exe	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\OSPPSVC.exe	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\1610b97d3ab4a74cd8ae104b51bea7bfcc5b9c6f	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\6cb0b6c459d5d3455a3da700e713f2e2529862ff	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Setup\State\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe
File created	C:\Windows\Setup\State\lsass.exe	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1288	schtasks.exe
2764	schtasks.exe
2852	schtasks.exe
2760	schtasks.exe
2312	schtasks.exe
2096	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2568	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe
2684	lsass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe
Token: SeDebugPrivilege	2684	lsass.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2880	2568	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe	37
PID 2568 wrote to memory of 2880	2568	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe	37
PID 2568 wrote to memory of 2880	2568	JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe	37
PID 2880 wrote to memory of 1236	2880	cmd.exe	39
PID 2880 wrote to memory of 1236	2880	cmd.exe	39
PID 2880 wrote to memory of 1236	2880	cmd.exe	39
PID 2880 wrote to memory of 2684	2880	cmd.exe	40
PID 2880 wrote to memory of 2684	2880	cmd.exe	40
PID 2880 wrote to memory of 2684	2880	cmd.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_056f58dfd4dbd2472994437d57da6515.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FLKikr2iq4.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1236
- - C:\Windows\System32\cscobj\lsass.exe
    "C:\Windows\System32\cscobj\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\cscobj\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\api-ms-win-crt-stdio-l1-1-0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Setup\State\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FLKikr2iq4.bat

Filesize
200B

MD5
faaf1b96e0f72399dff6962f31bbb9f8

SHA1
b226f5ae1e8a52d73565fb005746bf063e8b90e5

SHA256
a060f2aedb16fab88d4a7c7fa51f464c5e7415cdebdb0c3aa00d44f74ccedaa8

SHA512
7bc0217f3425e216c4584a796055e5873bb41e3ad2279541adf5dbe143f949660996bdfeb1f886dfdaaa84106704369e8d995a4a38a68a1dfb0101da8027e26c

Download Submit
C:\Windows\Setup\State\lsass.exe

Filesize
911KB

MD5
056f58dfd4dbd2472994437d57da6515

SHA1
b25732eeed9b92fa7c41e4d5f624e543841fb889

SHA256
6ab8569493f8b26107d701117956341d4b880ffa0d5e5e498380e9e21fad6ca4

SHA512
1d2f09ad6b752ab5d18797ebbc22991e04a3df27e3dce85f31446690c595b6550cd9db6ec69aaa57b307e36d3f1f247fb37bdfa9fb76496a3fa5e76423e7e1d3

Download Submit
memory/2568-0-0x000007FEF5103000-0x000007FEF5104000-memory.dmp

Filesize
4KB

Download
memory/2568-1-0x0000000000C50000-0x0000000000D3A000-memory.dmp

Filesize
936KB

Download
memory/2568-2-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2568-20-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2684-23-0x0000000000B30000-0x0000000000C1A000-memory.dmp

Filesize
936KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads