dcrat | 2321740f8faa2f44307ba42c8c5cb676506e8c8f76f9bc2aacd585f9809767b8

General

Target

JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe
Size

547KB
MD5

385e5e5ca1cf37ef0fd0f8738066f457
SHA1

be83e4802fc9332595ea7bd754198b4232c47509
SHA256

2321740f8faa2f44307ba42c8c5cb676506e8c8f76f9bc2aacd585f9809767b8
SHA512

f395f79d5368bf23311cf56af5e69dbb51d805eb0d134742e1fd1e91d5246ce7fb90529f1bbcfe4b77c94a6e64da5ebc69905e35f98f8c5d8ac532ee174b62a9
SSDEEP

12288:xqnO30tV2lZu09sR2ia1OgdDG3cSIksYEkQlrB:x+O3rvZDiUx5

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	3680	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	3680	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	3680	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	3680	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	3680	schtasks.exe	82

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1460-1-0x0000000000BB0000-0x0000000000C40000-memory.dmp	dcrat
behavioral2/files/0x0008000000023c19-11.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe

Executes dropped EXE 1 IoCs

pid	Process
2580	taskhostw.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\""	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\fhsettingsprovider\\taskhostw.exe\""	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\FXSUNATD\\taskhostw.exe\""	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\en-US\\lsass.exe\""	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\RemoteWipeCSP\\dwm.exe\""	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\RemoteWipeCSP\dwm.exe	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe
File created	C:\Windows\System32\RemoteWipeCSP\6cb0b6c459d5d3455a3da700e713f2e2529862ff	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe
File created	C:\Windows\System32\fhsettingsprovider\taskhostw.exe	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe
File created	C:\Windows\System32\fhsettingsprovider\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe
File created	C:\Windows\System32\FXSUNATD\taskhostw.exe	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe
File created	C:\Windows\System32\FXSUNATD\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\en-US\lsass.exe	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe
File created	C:\Windows\en-US\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe
File created	C:\Windows\en-US\lsass.exe	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3600	schtasks.exe
2376	schtasks.exe
4900	schtasks.exe
808	schtasks.exe
2680	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1460	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe
1460	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe
1460	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe
2580	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe
Token: SeDebugPrivilege	2580	taskhostw.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2316	1460	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe	88
PID 1460 wrote to memory of 2316	1460	JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe	88
PID 2316 wrote to memory of 1152	2316	cmd.exe	90
PID 2316 wrote to memory of 1152	2316	cmd.exe	90
PID 2316 wrote to memory of 2580	2316	cmd.exe	91
PID 2316 wrote to memory of 2580	2316	cmd.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_385e5e5ca1cf37ef0fd0f8738066f457.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9fmXMux5Je.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1152
- - C:\Windows\System32\fhsettingsprovider\taskhostw.exe
    "C:\Windows\System32\fhsettingsprovider\taskhostw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\RemoteWipeCSP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\fhsettingsprovider\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\FXSUNATD\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9fmXMux5Je.bat

Filesize
216B

MD5
c60e09f69b0861832eec4b7ca46d86ee

SHA1
ff76a60a5af5a85d0db496d4a67e12f6a311fe90

SHA256
8f9a553f0bdd18187b9efb04ad1b7c7789744a99aac36a1f73f56ecc149c5606

SHA512
fa4218840a85a6ddaf23e5a22cb215a184603d612b3737f01037dead1c1dc6783e8bd2f0f04cf8f086ad32bc5dce247b0a0735a5dda9b4f8a48a5439ba1162b9

Download Submit
C:\Windows\System32\FXSUNATD\taskhostw.exe

Filesize
547KB

MD5
385e5e5ca1cf37ef0fd0f8738066f457

SHA1
be83e4802fc9332595ea7bd754198b4232c47509

SHA256
2321740f8faa2f44307ba42c8c5cb676506e8c8f76f9bc2aacd585f9809767b8

SHA512
f395f79d5368bf23311cf56af5e69dbb51d805eb0d134742e1fd1e91d5246ce7fb90529f1bbcfe4b77c94a6e64da5ebc69905e35f98f8c5d8ac532ee174b62a9

Download Submit
memory/1460-0-0x00007FFB39E23000-0x00007FFB39E25000-memory.dmp

Filesize
8KB

Download
memory/1460-1-0x0000000000BB0000-0x0000000000C40000-memory.dmp

Filesize
576KB

Download
memory/1460-4-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/1460-19-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/2580-23-0x0000000001650000-0x000000000165C000-memory.dmp

Filesize
48KB

Download
memory/2580-24-0x0000000001680000-0x000000000168C000-memory.dmp

Filesize
48KB

Download
memory/2580-25-0x0000000001690000-0x000000000169E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads