General
-
Target
JaffaCakes118_a1d6722720a1d0faa60e5faaa6951e25
-
Size
2.3MB
-
Sample
250108-qppara1nhw
-
MD5
a1d6722720a1d0faa60e5faaa6951e25
-
SHA1
8d32dba1594189b4b02632e583b2187d82564093
-
SHA256
08daa6de7fd43737def4dbe0950db36969476afd0fc819ba03d3601a2669f838
-
SHA512
d5a0fe3841f6fca72af1ebbb092fb32bbd4d29931dcabed881ffe6774b38a7c9595195b38655d497d214bc67f6ae962d25ec5231bad3acab98c564bf46e9fc6b
-
SSDEEP
49152:UbA300qL5o66QwgVAVph9QBoyycpwgPGdnDq3IEPs:UbV7oh9yycFODq3vPs
Malware Config
Targets
-
-
Target
JaffaCakes118_a1d6722720a1d0faa60e5faaa6951e25
-
Size
2.3MB
-
MD5
a1d6722720a1d0faa60e5faaa6951e25
-
SHA1
8d32dba1594189b4b02632e583b2187d82564093
-
SHA256
08daa6de7fd43737def4dbe0950db36969476afd0fc819ba03d3601a2669f838
-
SHA512
d5a0fe3841f6fca72af1ebbb092fb32bbd4d29931dcabed881ffe6774b38a7c9595195b38655d497d214bc67f6ae962d25ec5231bad3acab98c564bf46e9fc6b
-
SSDEEP
49152:UbA300qL5o66QwgVAVph9QBoyycpwgPGdnDq3IEPs:UbV7oh9yycFODq3vPs
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1