Overview

overview

10

Static

static

3

JaffaCakes...9a.exe

windows7-x64

10

JaffaCakes...9a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-01-2025 17:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_70efb1bfc943310507e345e5d4c4659a.exe

  • Size

    2.9MB

  • MD5

    70efb1bfc943310507e345e5d4c4659a

  • SHA1

    4d770f651e9e206983d2223ddb8ce7489b59dce2

  • SHA256

    143a4aac0008786b5dc5c9f1fd94536c535e3a24f064526bba8f5b49bcdb2810

  • SHA512

    e337ae217f42f304ff25cca3ec9272e375e3e66043def82c3cfa74c05e2b3415f3ac7244808fe263c452df0a7664abd024a33169a0bc4394d3ae5ee38e212b45

  • SSDEEP

    49152:98wHWg2dOM7U8eEdHWls4K/c9TScxGuaGolGDISsA/0dwOZ/Szo+zCV:98wv2dOEBBWq1EVd53DI46FZ/Mov

Score
10/10
dcratdiscoveryevasioninfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70efb1bfc943310507e345e5d4c4659a.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70efb1bfc943310507e345e5d4c4659a.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZHIv67QnYC.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4612
      • C:\Windows\SysWOW64\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:736
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          4⤵
            PID:2696
        • C:\Windows\BitLockerDiscoveryVolumeContents\System.exe
          "C:\Windows\BitLockerDiscoveryVolumeContents\System.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3920
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\L2Schemas\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4948
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4776
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\CertPolEng\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2740
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\AppxSignature\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1148
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\resources\StartMenuExperienceHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Internal.UI.Logon.ProxyStub\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3276

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ZHIv67QnYC.bat
      Filesize

      218B

      MD5

      210cf1eb2d3339fa01ada9303cb10f3c

      SHA1

      aea2afa7fcfbb14d219f4f840da62683fbc687f8

      SHA256

      a8b78b04971061244c79bd43680c776f364c0ad3bf7b7478003cf9d6d8d1b128

      SHA512

      a66736628ec3a86b123259c88102f6043f6f289ca6edddbc2709612f0a4acfefbe5e3e73187a03e9a9e2f80feca664dd7399465a2a7b36cdba53b8d750e40a46

      Download Submit

    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\resources\StartMenuExperienceHost.exe
      Filesize

      2.9MB

      MD5

      70efb1bfc943310507e345e5d4c4659a

      SHA1

      4d770f651e9e206983d2223ddb8ce7489b59dce2

      SHA256

      143a4aac0008786b5dc5c9f1fd94536c535e3a24f064526bba8f5b49bcdb2810

      SHA512

      e337ae217f42f304ff25cca3ec9272e375e3e66043def82c3cfa74c05e2b3415f3ac7244808fe263c452df0a7664abd024a33169a0bc4394d3ae5ee38e212b45

      Download Submit

    • memory/2376-3-0x0000000007AE0000-0x0000000008084000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2376-0-0x0000000000440000-0x0000000000A84000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/2376-4-0x0000000007430000-0x00000000074CC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2376-7-0x0000000007530000-0x0000000007596000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2376-2-0x0000000000440000-0x0000000000A84000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/2376-1-0x0000000000440000-0x0000000000A84000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/2376-25-0x0000000000440000-0x0000000000A84000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/3920-29-0x00000000004C0000-0x0000000000B04000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/3920-30-0x00000000004C0000-0x0000000000B04000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/3920-31-0x00000000004C0000-0x0000000000B04000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/3920-32-0x0000000007840000-0x000000000784E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3920-35-0x00000000004C0000-0x0000000000B04000-memory.dmp

      Filesize

      6.3MB

      Download