dcrat | 6095c3b37ce46a00267f8bd43345e1e83f366875901c0cdfd22349360c930219

General

Target

JaffaCakes118_321f612c6caf1fd630725623fe40a5fe.exe
Size

1.2MB
MD5

321f612c6caf1fd630725623fe40a5fe
SHA1

8cf094d5074445dd427987edc583e90c09eb4c1b
SHA256

6095c3b37ce46a00267f8bd43345e1e83f366875901c0cdfd22349360c930219
SHA512

6aed7fde3c3f52c14e1c0f44b64147c0ed4c9c87b93c02e354ff7364a0296ed0affa2fb2c3caf73e07f764ce7d7840acb5e4e02f7e1fe1031b6226f18af5610f
SSDEEP

24576:P2G/nvxW3WsLG9Eiz6adDRmCICoh3yfB0R9We1tHJTiBdTadFOQxQUS2NQtLqv7P:PbA3vLG9Eiz6adDRmCICoh3yfB0R9Wef

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		JaffaCakes118_321f612c6caf1fd630725623fe40a5fe.exe
		1908	schtasks.exe
		3692	schtasks.exe
		3544	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	1108	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	1108	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	1108	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023ca6-9.dat	dcrat
behavioral2/memory/4908-13-0x00000000007E0000-0x00000000008CA000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	driverintoperfCommonsessiondll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_321f612c6caf1fd630725623fe40a5fe.exe

Executes dropped EXE 2 IoCs

pid	Process
4908	driverintoperfCommonsessiondll.exe
4316	System.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\lsasetup\\sysmon.exe\""	driverintoperfCommonsessiondll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\driverintoperfCommonsessiondll = "\"C:\\driverintoperfCommon\\vJSmSBhcFKfKb07LK\\driverintoperfCommonsessiondll.exe\""	driverintoperfCommonsessiondll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\""	driverintoperfCommonsessiondll.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\lsasetup\sysmon.exe	driverintoperfCommonsessiondll.exe
File created	C:\Windows\lsasetup\121e5b5079f7c0e46d90f99b3864022518bbbda9	driverintoperfCommonsessiondll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_321f612c6caf1fd630725623fe40a5fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	JaffaCakes118_321f612c6caf1fd630725623fe40a5fe.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1908	schtasks.exe
3692	schtasks.exe
3544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4908	driverintoperfCommonsessiondll.exe
4908	driverintoperfCommonsessiondll.exe
4908	driverintoperfCommonsessiondll.exe
4316	System.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4908	driverintoperfCommonsessiondll.exe
Token: SeDebugPrivilege	4316	System.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 2236	4972	JaffaCakes118_321f612c6caf1fd630725623fe40a5fe.exe	82
PID 4972 wrote to memory of 2236	4972	JaffaCakes118_321f612c6caf1fd630725623fe40a5fe.exe	82
PID 4972 wrote to memory of 2236	4972	JaffaCakes118_321f612c6caf1fd630725623fe40a5fe.exe	82
PID 2236 wrote to memory of 4936	2236	WScript.exe	83
PID 2236 wrote to memory of 4936	2236	WScript.exe	83
PID 2236 wrote to memory of 4936	2236	WScript.exe	83
PID 4936 wrote to memory of 4908	4936	cmd.exe	85
PID 4936 wrote to memory of 4908	4936	cmd.exe	85
PID 4908 wrote to memory of 4316	4908	driverintoperfCommonsessiondll.exe	90
PID 4908 wrote to memory of 4316	4908	driverintoperfCommonsessiondll.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321f612c6caf1fd630725623fe40a5fe.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_321f612c6caf1fd630725623fe40a5fe.exe"
1⤵
- DcRat
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\driverintoperfCommon\wlmoRFgBvo.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\driverintoperfCommon\vJSmSBhcFKfKb07LK.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\driverintoperfCommon\driverintoperfCommonsessiondll.exe
      "C:\driverintoperfCommon\driverintoperfCommonsessiondll.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4908
    - - C:\Recovery\WindowsRE\System.exe
        
        "C:\Recovery\WindowsRE\System.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "driverintoperfCommonsessiondll" /sc ONLOGON /tr "'C:\driverintoperfCommon\vJSmSBhcFKfKb07LK\driverintoperfCommonsessiondll.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\lsasetup\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\driverintoperfCommon\driverintoperfCommonsessiondll.exe

Filesize
911KB

MD5
056f58dfd4dbd2472994437d57da6515

SHA1
b25732eeed9b92fa7c41e4d5f624e543841fb889

SHA256
6ab8569493f8b26107d701117956341d4b880ffa0d5e5e498380e9e21fad6ca4

SHA512
1d2f09ad6b752ab5d18797ebbc22991e04a3df27e3dce85f31446690c595b6550cd9db6ec69aaa57b307e36d3f1f247fb37bdfa9fb76496a3fa5e76423e7e1d3

Download Submit
C:\driverintoperfCommon\vJSmSBhcFKfKb07LK.bat

Filesize
60B

MD5
7714e2b53919911e980444b45460395e

SHA1
21cddd2196d4e75bbb2cc7707b94934932680d07

SHA256
6e0f83f0badfed55ce960d3f3b49b742c3f2bf50e36beefd48fdbb2d0b71bc8c

SHA512
2611942f953a7c4deaf4a80863279a309befa69171f2e657a671afc52b9540dbada2b147280ac2af05d71e78802ba56b0cd82bfe8799fcd53805ffa0b828ae03

Download Submit
C:\driverintoperfCommon\wlmoRFgBvo.vbe

Filesize
214B

MD5
b691364b66d675eeed04c145b61c1eec

SHA1
dc589cc90dea7c2337354951a18ddc456ef6cb19

SHA256
1028571339899a1c775e82790e37ce001554848fae43c5c58357474c94b5bd2b

SHA512
a807538e52b8acdbcc35d60df9b3ff1e529cd23c39a7a2a5afe19fc4a05ba46d9cb7ba1a7012f43c2b27eef7681dff8d3a9aa204fe85816146455ac0e1a8010c

Download Submit
memory/4908-12-0x00007FFFA37F3000-0x00007FFFA37F5000-memory.dmp

Filesize
8KB

Download
memory/4908-13-0x00000000007E0000-0x00000000008CA000-memory.dmp

Filesize
936KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads