Overview

overview

10

Static

static

10

JaffaCakes...c9.exe

windows7-x64

10

JaffaCakes...c9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-01-2025 05:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe

  • Size

    911KB

  • MD5

    5122e9b0deae7300d07a5550c40eabc9

  • SHA1

    1a8509c1adf72145cf58f7a55f9821c7cb952447

  • SHA256

    7bb34de9af0096fcda6707bc8fea5925c8507ae15b4a76e3d03525170ec1ecc5

  • SHA512

    e7ed78d4c5662587b949ab28878c557e07e8052e2ee59628440d379d0db9f72507049b7d523e20551e5809869f9e605838e7bd96a13e14a6d7338ff964d1f92a

  • SSDEEP

    12288:lLpIhnEH6vXGyw/QnLSQy4bEJRG8atNkQ1WzeKWL+A4ZoIV5jCHx42ICtfqn4:FqyywIjbjZtNkQvKM+A4iIb67tf+4

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 31 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 13 IoCs
    persistence
  • Process spawned unexpected child process 13 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 26 IoCs
    persistence
  • Drops file in System32 directory 8 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DDNoqCsMQT.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1412
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:3220
        • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
          "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe"
          3⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1800
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q4f17Ff7xO.bat"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4564
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              5⤵
                PID:1420
              • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\SppExtComObj.exe
                "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\SppExtComObj.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1868
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\csrss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5052
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\PerfLogs\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4348
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\mfc140enu\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3780
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\KBDINEN\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1916
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2468
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\wmidx\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:904
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4292
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PerfLogs\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3420
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\mfc140enu\SppExtComObj.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4476
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1208
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3436
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1944
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3028

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Recovery\WindowsRE\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d
        Filesize

        260B

        MD5

        ffae34cc3cb7b0c8b754ffed3a430389

        SHA1

        c7614775f18978dcd8c52e0e2bb85da8f0436083

        SHA256

        4090c970e479b580be8d6fe6340f3f834a78516195a2549776e0774f914d0030

        SHA512

        862cd5ed393fe34d936ca18c1577f129a00abe3ceea9142b2d4ff02b50baa25f961b29c2417b9f94c94ecc5d7e5494f2108688524231f133eae715eadc0be8b0

        Download Submit

      • C:\Recovery\WindowsRE\RuntimeBroker.exe
        Filesize

        911KB

        MD5

        5122e9b0deae7300d07a5550c40eabc9

        SHA1

        1a8509c1adf72145cf58f7a55f9821c7cb952447

        SHA256

        7bb34de9af0096fcda6707bc8fea5925c8507ae15b4a76e3d03525170ec1ecc5

        SHA512

        e7ed78d4c5662587b949ab28878c557e07e8052e2ee59628440d379d0db9f72507049b7d523e20551e5809869f9e605838e7bd96a13e14a6d7338ff964d1f92a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe.log
        Filesize

        1KB

        MD5

        b7c0c43fc7804baaa7dc87152cdc9554

        SHA1

        1bab62bd56af745678d4e967d91e1ccfdeed4038

        SHA256

        46386a61f3aaf1b1c2e6efc9fc7e9e9ff16cd13ae58b8d856835771fedb6d457

        SHA512

        9fda3dd00a3406137e0113f13f78e77b20a76512b35820d38df696842cbbf2e2ebabfb99a3846c9637ecb54af858ec1551521187e379872973006426a253f769

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDNoqCsMQT.bat
        Filesize

        248B

        MD5

        3d48a11ae831b2726c6726121965f8de

        SHA1

        8ffd17357f1d1d3e68b4c3dfd2a151f2db06e57d

        SHA256

        3f795116ee3a15e984ebc31ecec427adaac167374773b5028d30beba8ab6ef6e

        SHA512

        3d4d1fbfae73c984bf8d00833490dffea4473db76bdbea5ab4f3b37bb57da2b90b8dc21a92bf7e6a74a09cfebe1988e89e5ac225fb6a4e23f681c9d1d78673cc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Q4f17Ff7xO.bat
        Filesize

        244B

        MD5

        22955148a449267d888e9754c807b3c4

        SHA1

        0fce939c503855371ebbbf602372e3248dd636a7

        SHA256

        1e262b1aeae9da7babfa23aaf671b6930d678797afbad49b315f02327f240ec2

        SHA512

        660d6b8ce58a4811f57bff52f6fe77615ae5de657d1e5a62a932c3bcb6b09dd13430f96d1711cd28469654f4a7946a21605f47ecfd3f8c8120d649a057387554

        Download Submit

      • C:\Windows\System32\mfc140enu\e1ef82546f0b02b7e974f28047f3788b1128cce1
        Filesize

        799B

        MD5

        c7a48a68445ed7caeb8746f172059216

        SHA1

        1cc28065e5a789daac8fe17b20d3604002bea5cd

        SHA256

        db9f00701d84b2e888b403b4a9753186cf541f94642ad0c50db25df53a63ac00

        SHA512

        3913227cbf68ddf7fdeeac1f8c4a5561261c21e79272b6efe3b2e38378b126e95236f59f52ad172b32c600d972c9ff3d10556c1c0628c4ddf8383a9224ea7b17

        Download Submit

      • memory/4856-0-0x00007FFB5E6D3000-0x00007FFB5E6D5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4856-1-0x00000000000E0000-0x00000000001CA000-memory.dmp

        Filesize

        936KB

        Download

      • memory/4856-4-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4856-21-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

        Filesize

        10.8MB

        Download