Overview

overview

10

Static

static

3

JaffaCakes...f8.exe

windows7-x64

10

JaffaCakes...f8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_b99a438bb5300f4aee538098b882cdf8

  • Size

    2.9MB

  • Sample

    250109-c46axsvkd1

  • MD5

    b99a438bb5300f4aee538098b882cdf8

  • SHA1

    560f538147a4ca5e6bfeadb3ef48ccde7070120c

  • SHA256

    89c098f195e0becb85dbdba2a1f03a2a69081dc6c6364c3c0d4cef5cafc5bab2

  • SHA512

    4ef448045f7e16cacf9ec86a70b9be823f766386bd10b2d0550d1d49a21a0a60907a9c3d8c2bbd2dc87024789d6da28f45cd018d7e52623791eccde9f6a21f84

  • SSDEEP

    49152:7wefjxPCEjdphA8ZLUj+khAHYevjm7rDeqYQjmCYi78jFA:7zqCA85UuHYeLu0PCYi78q

Score
10/10
dcratdiscoveryevasioninfostealerpersistencerat

Malware Config

Targets

    • Target

      JaffaCakes118_b99a438bb5300f4aee538098b882cdf8

    • Size

      2.9MB

    • MD5

      b99a438bb5300f4aee538098b882cdf8

    • SHA1

      560f538147a4ca5e6bfeadb3ef48ccde7070120c

    • SHA256

      89c098f195e0becb85dbdba2a1f03a2a69081dc6c6364c3c0d4cef5cafc5bab2

    • SHA512

      4ef448045f7e16cacf9ec86a70b9be823f766386bd10b2d0550d1d49a21a0a60907a9c3d8c2bbd2dc87024789d6da28f45cd018d7e52623791eccde9f6a21f84

    • SSDEEP

      49152:7wefjxPCEjdphA8ZLUj+khAHYevjm7rDeqYQjmCYi78jFA:7zqCA85UuHYeLu0PCYi78q

    Score
    10/10
    dcratdiscoveryevasioninfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks