General
-
Target
JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9
-
Size
911KB
-
Sample
250107-gj64yaxkgw
-
MD5
5122e9b0deae7300d07a5550c40eabc9
-
SHA1
1a8509c1adf72145cf58f7a55f9821c7cb952447
-
SHA256
7bb34de9af0096fcda6707bc8fea5925c8507ae15b4a76e3d03525170ec1ecc5
-
SHA512
e7ed78d4c5662587b949ab28878c557e07e8052e2ee59628440d379d0db9f72507049b7d523e20551e5809869f9e605838e7bd96a13e14a6d7338ff964d1f92a
-
SSDEEP
12288:lLpIhnEH6vXGyw/QnLSQy4bEJRG8atNkQ1WzeKWL+A4ZoIV5jCHx42ICtfqn4:FqyywIjbjZtNkQvKM+A4iIb67tf+4
Malware Config
Targets
-
-
Target
JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9
-
Size
911KB
-
MD5
5122e9b0deae7300d07a5550c40eabc9
-
SHA1
1a8509c1adf72145cf58f7a55f9821c7cb952447
-
SHA256
7bb34de9af0096fcda6707bc8fea5925c8507ae15b4a76e3d03525170ec1ecc5
-
SHA512
e7ed78d4c5662587b949ab28878c557e07e8052e2ee59628440d379d0db9f72507049b7d523e20551e5809869f9e605838e7bd96a13e14a6d7338ff964d1f92a
-
SSDEEP
12288:lLpIhnEH6vXGyw/QnLSQy4bEJRG8atNkQ1WzeKWL+A4ZoIV5jCHx42ICtfqn4:FqyywIjbjZtNkQvKM+A4iIb67tf+4
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1