dcrat | 75ec6658e2172199d78c87db3de2f85c1f49d229703e12d1725a0913ca4fe213

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
Size

10.1MB
MD5

8afb3959eaf496cd8a73a3d91e25e22c
SHA1

44681a9d143cfd48ad3c7fe37e5b4c8f8378b22b
SHA256

75ec6658e2172199d78c87db3de2f85c1f49d229703e12d1725a0913ca4fe213
SHA512

0ec5a1fe87bd1cb5cdd5f686156d88313a57eba46b73f435dc98de5d07bf87d8cf86eb8640b2bdd0314c43bff27bf079708897c0ca5477bbbb2f2cc9405de0d1
SSDEEP

24576:W+O4GptFtiU9SsYm1oO9teGnlcZ/uIO0EdZX0usIW6fgtixy4s+8BIbT19h8OChG:x5o9Y+Iu0u+YoAgO9kK4XyWDAyH6e

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\WmiApSrv\\unsecapp.exe\""	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\WmiApSrv\\unsecapp.exe\", \"C:\\Windows\\System32\\Windows.CloudStore.Schema.DesktopShell\\fontdrvhost.exe\""	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\WmiApSrv\\unsecapp.exe\", \"C:\\Windows\\System32\\Windows.CloudStore.Schema.DesktopShell\\fontdrvhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\sysmon.exe\""	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\WmiApSrv\\unsecapp.exe\", \"C:\\Windows\\System32\\Windows.CloudStore.Schema.DesktopShell\\fontdrvhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\sysmon.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\""	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	4960	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	4960	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	4960	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	4960	schtasks.exe	83

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe

Executes dropped EXE 1 IoCs

pid	Process
3376	fontdrvhost.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\WmiApSrv\\unsecapp.exe\""	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\Windows.CloudStore.Schema.DesktopShell\\fontdrvhost.exe\""	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\Windows.CloudStore.Schema.DesktopShell\\fontdrvhost.exe\""	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\RemotePackages\\RemoteDesktops\\sysmon.exe\""	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\RemotePackages\\RemoteDesktops\\sysmon.exe\""	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\""	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInputHost\\TextInputHost.exe\""	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\WmiApSrv\\unsecapp.exe\""	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\wbem\WmiApSrv\unsecapp.exe	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
File opened for modification	C:\Windows\System32\wbem\WmiApSrv\unsecapp.exe	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
File created	C:\Windows\System32\wbem\WmiApSrv\29c1c3cc0f76855c7e7456076a4ffc27e4947119	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
File created	C:\Windows\System32\Windows.CloudStore.Schema.DesktopShell\fontdrvhost.exe	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
File created	C:\Windows\System32\Windows.CloudStore.Schema.DesktopShell\5b884080fd4f94e2695da25c503f9e33b9605b83	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\RemotePackages\RemoteDesktops\121e5b5079f7c0e46d90f99b3864022518bbbda9	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\TextInputHost.exe	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\22eafd247d37c30fed3795ee41d259ec72bb351c	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4484	schtasks.exe
3392	schtasks.exe
3876	schtasks.exe
1968	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3420	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
3420	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
3420	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
3420	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
3420	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe
3376	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3420	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
Token: SeDebugPrivilege	3376	fontdrvhost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 4288	3420	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe	88
PID 3420 wrote to memory of 4288	3420	JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe	88
PID 4288 wrote to memory of 3136	4288	cmd.exe	90
PID 4288 wrote to memory of 3136	4288	cmd.exe	90
PID 4288 wrote to memory of 3376	4288	cmd.exe	92
PID 4288 wrote to memory of 3376	4288	cmd.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8afb3959eaf496cd8a73a3d91e25e22c.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OlajzPKrte.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3136
- - C:\Windows\System32\Windows.CloudStore.Schema.DesktopShell\fontdrvhost.exe
    "C:\Windows\System32\Windows.CloudStore.Schema.DesktopShell\fontdrvhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\WmiApSrv\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\Windows.CloudStore.Schema.DesktopShell\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OlajzPKrte.bat

Filesize
238B

MD5
40d574575c5d9700c2a793faa2281a3d

SHA1
37c936e74ce26212dd06f889268a4f8e4f89c1cc

SHA256
f8e6f57e2aa5085672206c5d966442a6c4b7674d7031404deba65a717b69aedd

SHA512
626c42bca3a010d5af90f1ac74b7415d1ac1f64e66618ba211c154cb367132264aa2d12de143f16321847e673b276c853fcd2344550b28b99f1556eb3b6b11e8

Download Submit
C:\Windows\System32\Windows.CloudStore.Schema.DesktopShell\fontdrvhost.exe

Filesize
10.1MB

MD5
8afb3959eaf496cd8a73a3d91e25e22c

SHA1
44681a9d143cfd48ad3c7fe37e5b4c8f8378b22b

SHA256
75ec6658e2172199d78c87db3de2f85c1f49d229703e12d1725a0913ca4fe213

SHA512
0ec5a1fe87bd1cb5cdd5f686156d88313a57eba46b73f435dc98de5d07bf87d8cf86eb8640b2bdd0314c43bff27bf079708897c0ca5477bbbb2f2cc9405de0d1

Download Submit
memory/3376-25-0x0000000001D80000-0x0000000001D8A000-memory.dmp

Filesize
40KB

Download
memory/3376-22-0x0000000001D70000-0x0000000001D7C000-memory.dmp

Filesize
48KB

Download
memory/3376-21-0x0000000001D60000-0x0000000001D6C000-memory.dmp

Filesize
48KB

Download
memory/3376-23-0x0000000001DA0000-0x0000000001DAC000-memory.dmp

Filesize
48KB

Download
memory/3376-24-0x0000000003610000-0x0000000003618000-memory.dmp

Filesize
32KB

Download
memory/3376-26-0x000000001CA80000-0x000000001CB82000-memory.dmp

Filesize
1.0MB

Download
memory/3376-31-0x000000001CA80000-0x000000001CB82000-memory.dmp

Filesize
1.0MB

Download
memory/3420-16-0x00007FFB10BC0000-0x00007FFB11681000-memory.dmp

Filesize
10.8MB

Download
memory/3420-4-0x00007FFB10BC0000-0x00007FFB11681000-memory.dmp

Filesize
10.8MB

Download
memory/3420-1-0x00000000003A0000-0x0000000000DCA000-memory.dmp

Filesize
10.2MB

Download
memory/3420-0-0x00007FFB10BC3000-0x00007FFB10BC5000-memory.dmp

Filesize
8KB

Download