dcrat | 2d6700a4c98e079bd9d66aca7c0b3a00f16d255168d357331125ed815309251b

General

Target

JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
Size

912KB
MD5

5cf52073c857663094cb9adfed619466
SHA1

39b9659ed36da558aea03f4143203590dcc22e5b
SHA256

2d6700a4c98e079bd9d66aca7c0b3a00f16d255168d357331125ed815309251b
SHA512

aec119cac2d5d5dec51f219dd6a306e63bcbdc4b824c51e0f79c8282d2e12f9ee9fcad4b9232d4aca2ac48ba292a967a725f1ae8a610ad794e99910f53e41bda
SSDEEP

12288:3MDfrNRZBJfl9RE7phmUtEsS4QP9WleSAYqQWPqyYW3nKqn4:3MTbZzZeKUNHA986Q4XK+4

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	3900	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	3900	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	3900	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	3900	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	3900	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	3900	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	3900	schtasks.exe	83

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2972-1-0x0000000000400000-0x00000000004EC000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b6f-11.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe

Executes dropped EXE 1 IoCs

pid	Process
2968	MusNotification.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\wmpps\\winlogon.exe\""	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default\\Saved Games\\fontdrvhost.exe\""	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Documents and Settings\\winlogon.exe\""	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\""	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\sppsvc.exe\""	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Windows\\System32\\mfc100enu\\MusNotification.exe\""	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\""	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\mfc100enu\MusNotification.exe	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
File created	C:\Windows\System32\mfc100enu\aa97147c4c782d4a77c6b7822ef5383b917e6cfb	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
File created	C:\Windows\System32\wmpps\winlogon.exe	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
File created	C:\Windows\System32\wmpps\cc11b995f2a76da408ea6a601e682e64743153ad	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\uk-UA\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
File created	C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\55b276f4edf653fe07efe8f1ecc32d3d195abd16	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\55b276f4edf653fe07efe8f1ecc32d3d195abd16	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3228	schtasks.exe
1468	schtasks.exe
2496	schtasks.exe
3192	schtasks.exe
1840	schtasks.exe
2520	schtasks.exe
4284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2972	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
2972	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
2972	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
2968	MusNotification.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
Token: SeDebugPrivilege	2968	MusNotification.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 1588	2972	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe	91
PID 2972 wrote to memory of 1588	2972	JaffaCakes118_5cf52073c857663094cb9adfed619466.exe	91
PID 1588 wrote to memory of 4940	1588	cmd.exe	93
PID 1588 wrote to memory of 4940	1588	cmd.exe	93
PID 1588 wrote to memory of 2968	1588	cmd.exe	96
PID 1588 wrote to memory of 2968	1588	cmd.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5cf52073c857663094cb9adfed619466.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5cf52073c857663094cb9adfed619466.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BqoHeWMPtw.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4940
- - C:\Windows\System32\mfc100enu\MusNotification.exe
    "C:\Windows\System32\mfc100enu\MusNotification.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Documents and Settings\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Windows\System32\mfc100enu\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\wmpps\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BqoHeWMPtw.bat

Filesize
213B

MD5
0300eb3ae16c1b6705519e44eae76836

SHA1
9a20826e982b3ab22efa20310f90708755b4a536

SHA256
a2c126c75c8a8becde6260dcb1f9f4b64d76c883a856ecf83c8c54b4dbf90527

SHA512
32e0d5cffa84d11e08dcab70ce458e6d2a12fe051b9faaca24d4c5bf526df9f1a98108fe6b40fa390aac1ddaae225f80e510855006e0e91ef3396e887550ab1e

Download Submit
C:\Windows\System32\mfc100enu\MusNotification.exe

Filesize
912KB

MD5
5cf52073c857663094cb9adfed619466

SHA1
39b9659ed36da558aea03f4143203590dcc22e5b

SHA256
2d6700a4c98e079bd9d66aca7c0b3a00f16d255168d357331125ed815309251b

SHA512
aec119cac2d5d5dec51f219dd6a306e63bcbdc4b824c51e0f79c8282d2e12f9ee9fcad4b9232d4aca2ac48ba292a967a725f1ae8a610ad794e99910f53e41bda

Download Submit
memory/2972-0-0x00007FFE584C3000-0x00007FFE584C5000-memory.dmp

Filesize
8KB

Download
memory/2972-1-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2972-4-0x00007FFE584C0000-0x00007FFE58F81000-memory.dmp

Filesize
10.8MB

Download
memory/2972-22-0x00007FFE584C0000-0x00007FFE58F81000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads