General
-
Target
JaffaCakes118_a6071d641845f00d647d2869a77dd8d7
-
Size
1.4MB
-
Sample
250108-xhtp8ayncw
-
MD5
a6071d641845f00d647d2869a77dd8d7
-
SHA1
39371220b3d9ebc702e8892b9c372f54c7341544
-
SHA256
f811048b185a950026d917a0a0626efa1696605d0c8c483da268f4d92ea463c4
-
SHA512
0e796c872a5f49ba7f22f90cf092f3c00e733d0c8491d06e868c3971fcae135735c7f10dc47cb5313ca761d8d5fcfc96f0db4439e7a3069f76764d43310792f8
-
SSDEEP
24576:z2G/nvxW3WwL+zdHJ2zljtfM8zCxqY3+SiSals+S5WhqN7+4V:zbA3f+hp4Zle+SIqNqo
Malware Config
Targets
-
-
Target
JaffaCakes118_a6071d641845f00d647d2869a77dd8d7
-
Size
1.4MB
-
MD5
a6071d641845f00d647d2869a77dd8d7
-
SHA1
39371220b3d9ebc702e8892b9c372f54c7341544
-
SHA256
f811048b185a950026d917a0a0626efa1696605d0c8c483da268f4d92ea463c4
-
SHA512
0e796c872a5f49ba7f22f90cf092f3c00e733d0c8491d06e868c3971fcae135735c7f10dc47cb5313ca761d8d5fcfc96f0db4439e7a3069f76764d43310792f8
-
SSDEEP
24576:z2G/nvxW3WwL+zdHJ2zljtfM8zCxqY3+SiSals+S5WhqN7+4V:zbA3f+hp4Zle+SIqNqo
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1