Overview

overview

10

Static

static

10

JaffaCakes...08.exe

windows7-x64

10

JaffaCakes...08.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08

  • Size

    912KB

  • Sample

    250107-zs4z2szqck

  • MD5

    7902d7438cd06a2393e97a07fbf53b08

  • SHA1

    6cd4f8d9510d87d2f112cd6be3e92dba29456319

  • SHA256

    9cb41290c48b270282afbcc08569844197c642382bb79d621568fa3ac0ca1439

  • SHA512

    81d167bf915501a286285f6e1f08419c9576713549f3cef6e7dd7954874e9a43e5b1d18e7546fd696afeffcb9f8f43069dd5f11302f12259d83c652b6c5a3cd0

  • SSDEEP

    24576:Sa3x1VStiA7iw63VboDAJDyL+qq+aWTIN+4:Rswq63IEU

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Targets

    • Target

      JaffaCakes118_7902d7438cd06a2393e97a07fbf53b08

    • Size

      912KB

    • MD5

      7902d7438cd06a2393e97a07fbf53b08

    • SHA1

      6cd4f8d9510d87d2f112cd6be3e92dba29456319

    • SHA256

      9cb41290c48b270282afbcc08569844197c642382bb79d621568fa3ac0ca1439

    • SHA512

      81d167bf915501a286285f6e1f08419c9576713549f3cef6e7dd7954874e9a43e5b1d18e7546fd696afeffcb9f8f43069dd5f11302f12259d83c652b6c5a3cd0

    • SSDEEP

      24576:Sa3x1VStiA7iw63VboDAJDyL+qq+aWTIN+4:Rswq63IEU

    Score
    10/10
    dcratinfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks