Overview

overview

10

Static

static

10

JaffaCakes...f9.exe

windows7-x64

10

JaffaCakes...f9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    06-01-2025 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_3381479bab1dcacfbb8a7e4a4537f5f9.exe

  • Size

    1.2MB

  • MD5

    3381479bab1dcacfbb8a7e4a4537f5f9

  • SHA1

    771087a449813a1ab214aec8447122d28d772bfd

  • SHA256

    e0b451a5258bdacc66d22f0e7b45b67cb35a5bb7acab07aac122bd472e5a0827

  • SHA512

    a062dc024ba2effa2373790775f103cc8a14662ce444280b631656c816832f4e173f4e943c1efa0e8f39a0e66c77a2ccfe47df25970944bba47610f02932af73

  • SSDEEP

    24576:s2G/nvxW3WvpSbNLEJxpseQihFqfmVPOBBD+4L:sbA3WM9MxBTZ3m

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 9 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3381479bab1dcacfbb8a7e4a4537f5f9.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3381479bab1dcacfbb8a7e4a4537f5f9.exe"
    1⤵
    • DcRat
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Fontwininto\WsMKGuTKQDoUceIpFc.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Roaming\Fontwininto\Q8Jl1DujYt.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2096
        • C:\Users\Admin\AppData\Roaming\Fontwininto\FontwinintoRefdllNet.exe
          "C:\Users\Admin\AppData\Roaming\Fontwininto\FontwinintoRefdllNet.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2784
          • C:\Program Files\Common Files\Microsoft Shared\Stationery\csrss.exe
            "C:\Program Files\Common Files\Microsoft Shared\Stationery\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\Stationery\csrss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:576
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Logs\DISM\wininit.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2980
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\wow64win\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1372
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\wship6\lsm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2864
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\mfc110cht\lsm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1648
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2736
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\mf\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1288
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\pcadm\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Fontwininto\Q8Jl1DujYt.bat
    Filesize

    48B

    MD5

    97e115a1bf240df8c7e2fc4af9bb2f19

    SHA1

    431d2f966b8c228ffaf52ca94ed47506ece641ec

    SHA256

    caac133a0bc69373d7a39ccf8be005d00873e91be6909c3d61f446798ba70360

    SHA512

    a7a3c5250af1a1df5d78d30edc96521a659764c4aece6d4b6238b5bca431e4e976ccd204697e177a337587c3cf960e5f9c0d39a031e4660cfd7d5897e24fced5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Fontwininto\WsMKGuTKQDoUceIpFc.vbe
    Filesize

    205B

    MD5

    02a82d3b9ba301e2021ae64c83fb6ae5

    SHA1

    07436b2f55fc4cf70e880ea1b5372e012d68df8a

    SHA256

    d7d37b4bcea8754e1a3d11aec318ad00b0d2ec9c46818be98dc608282a204582

    SHA512

    d6cbd89ecfe65647274cbc476f15beeb624f274afdfa4fc78ef92a1ad000b72bf94174c56e63da24a1d36d1f2e851f7cdf59ee330b19344d26b818f92ede3613

    Download Submit

  • \Users\Admin\AppData\Roaming\Fontwininto\FontwinintoRefdllNet.exe
    Filesize

    912KB

    MD5

    1ec0ef270ff4b08fa5b6436ab0ed39d0

    SHA1

    363e5655608be17b3ba57bf54cd2de3be943afb4

    SHA256

    98372c461f60eb37116d1a876433e4d333126ddbec61cfafa7e4ed64a9f7a844

    SHA512

    0d08cf20e83e876b82baf7bb04b829f67fe0afab262685a25012f3789541e484fb893647ede9ff2dc48d617c647564ef1533cdd54ecfe5c9838344b072b22bd9

    Download Submit

  • memory/816-36-0x0000000000D40000-0x0000000000E2C000-memory.dmp

    Filesize

    944KB

    Download

  • memory/2784-13-0x0000000000CB0000-0x0000000000D9C000-memory.dmp

    Filesize

    944KB

    Download