dcrat | 2d6700a4c98e079bd9d66aca7c0b3a00f16d255168d357331125ed815309251b

General

Target

JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
Size

912KB
MD5

5cf52073c857663094cb9adfed619466
SHA1

39b9659ed36da558aea03f4143203590dcc22e5b
SHA256

2d6700a4c98e079bd9d66aca7c0b3a00f16d255168d357331125ed815309251b
SHA512

aec119cac2d5d5dec51f219dd6a306e63bcbdc4b824c51e0f79c8282d2e12f9ee9fcad4b9232d4aca2ac48ba292a967a725f1ae8a610ad794e99910f53e41bda
SSDEEP

12288:3MDfrNRZBJfl9RE7phmUtEsS4QP9WleSAYqQWPqyYW3nKqn4:3MTbZzZeKUNHA986Q4XK+4

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1144	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1144	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1144	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	1144	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2536-1-0x0000000000E50000-0x0000000000F3C000-memory.dmp	dcrat
behavioral1/files/0x0008000000016115-17.dat	dcrat
behavioral1/memory/2908-19-0x0000000000380000-0x000000000046C000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2908	dwm.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\spoolsv.exe\""	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\wwancfg\\dwm.exe\""	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\C_1250\\lsm.exe\""	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\TSChannel\\wininit.exe\""	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\System32\TSChannel\560854153607923c4c5f107085a7db67be01f252	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
File created	C:\Windows\System32\wwancfg\dwm.exe	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
File opened for modification	C:\Windows\System32\wwancfg\dwm.exe	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
File created	C:\Windows\System32\wwancfg\6cb0b6c459d5d3455a3da700e713f2e2529862ff	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
File created	C:\Windows\System32\C_1250\lsm.exe	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
File created	C:\Windows\System32\C_1250\101b941d020240259ca4912829b53995ad543df6	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
File created	C:\Windows\System32\TSChannel\wininit.exe	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2604	schtasks.exe
2284	schtasks.exe
2728	schtasks.exe
2876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2536	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
2908	dwm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
Token: SeDebugPrivilege	2908	dwm.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2716	2536	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe	35
PID 2536 wrote to memory of 2716	2536	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe	35
PID 2536 wrote to memory of 2716	2536	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe	35
PID 2716 wrote to memory of 1288	2716	cmd.exe	37
PID 2716 wrote to memory of 1288	2716	cmd.exe	37
PID 2716 wrote to memory of 1288	2716	cmd.exe	37
PID 2716 wrote to memory of 2908	2716	cmd.exe	38
PID 2716 wrote to memory of 2908	2716	cmd.exe	38
PID 2716 wrote to memory of 2908	2716	cmd.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5cf52073c857663094cb9adfed619466.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c1EqZx0gjL.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1288
- - C:\Windows\System32\wwancfg\dwm.exe
    "C:\Windows\System32\wwancfg\dwm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\wwancfg\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\C_1250\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\TSChannel\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c1EqZx0gjL.bat

Filesize
199B

MD5
a83f3416b1fc57f38ef3f6577ad3637b

SHA1
1044d6a67f0740d36c044deba78f863a94957a67

SHA256
7104b960e978849383b5d1e50dd896cb8296c51c9c76dbdf503a195656bd750e

SHA512
bb5678a03ab0fca306e9f549ed82015edf0cf41663ed95cead0365e4c7c9332339330dc176b92a45986611d5fce9aef235678930d82d08fb57182b507340f8c1

Download Submit
C:\Windows\System32\wwancfg\dwm.exe

Filesize
912KB

MD5
5cf52073c857663094cb9adfed619466

SHA1
39b9659ed36da558aea03f4143203590dcc22e5b

SHA256
2d6700a4c98e079bd9d66aca7c0b3a00f16d255168d357331125ed815309251b

SHA512
aec119cac2d5d5dec51f219dd6a306e63bcbdc4b824c51e0f79c8282d2e12f9ee9fcad4b9232d4aca2ac48ba292a967a725f1ae8a610ad794e99910f53e41bda

Download Submit
memory/2536-0-0x000007FEF4FC3000-0x000007FEF4FC4000-memory.dmp

Filesize
4KB

Download
memory/2536-1-0x0000000000E50000-0x0000000000F3C000-memory.dmp

Filesize
944KB

Download
memory/2536-2-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

Filesize
9.9MB

Download
memory/2536-15-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

Filesize
9.9MB

Download
memory/2908-19-0x0000000000380000-0x000000000046C000-memory.dmp

Filesize
944KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads