dcrat | 6b350fefc7d6ca79ca3e4cef39b4e71e7459d98ef213693ae3cec2c1b1d03863

Analysis

max time kernel
94s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Size

2.0MB
MD5

c07cdd8d27b5b968b06166ceddcfd35a
SHA1

419905135ad7276f36edd5654ff50643875d52b3
SHA256

6b350fefc7d6ca79ca3e4cef39b4e71e7459d98ef213693ae3cec2c1b1d03863
SHA512

01ddba53ed10452aeefde7aa2bcb289d75d5ce90fe0771183d5abc5f3a178d20b5495381084e75e858130bf31dbdd33edf82d51c96d1e4a99ee4c21bf97327ed
SSDEEP

49152:kqL5o66QwgVAVph9QBoyycpwgPGdnDq3IEP:x7oh9yycFODq3vP

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 20 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\winrm\\RuntimeBroker.exe\""		JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
		4804	schtasks.exe
		3616	schtasks.exe
		5096	schtasks.exe
		3604	schtasks.exe
		3436	schtasks.exe
		2688	schtasks.exe
File created	C:\Windows\System32\prntvpt\RuntimeBroker.exe		JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
		1408	schtasks.exe
		5044	schtasks.exe
		2456	schtasks.exe
		4132	schtasks.exe
		4536	schtasks.exe
		4680	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\prntvpt\\RuntimeBroker.exe\""		JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
		4960	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\""		JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
		1608	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\winipcsecproc\\spoolsv.exe\""		JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\wlidres\\RuntimeBroker.exe\""		JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe

Dcrat family
dcrat

Process spawned unexpected child process 14 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	4496	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	4496	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	4496	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	4496	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	4496	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	4496	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	4496	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	4496	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	4496	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	4496	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	4496	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	4496	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	4496	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4496	schtasks.exe	84

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1240-1-0x0000000000FB0000-0x00000000011C2000-memory.dmp	dcrat
behavioral2/files/0x0007000000023c8c-11.dat	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe

Executes dropped EXE 1 IoCs

pid	Process
3820	services.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\prntvpt\\RuntimeBroker.exe\""	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\PerfLogs\\dllhost.exe\""	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\winipcsecproc\\spoolsv.exe\""	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\ActiveHours\\sihost.exe\""	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\msdtcVSp1res\\spoolsv.exe\""	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\wimserv\\SppExtComObj.exe\""	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\""	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\hhsetup\\sihost.exe\""	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\""	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\wlidres\\RuntimeBroker.exe\""	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\PerfLogs\\services.exe\""	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\SettingsHandlers_Flights\\SppExtComObj.exe\""	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\winrm\\RuntimeBroker.exe\""	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Documents and Settings\\StartMenuExperienceHost.exe\""	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\System32\prntvpt\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
File created	C:\Windows\System32\winipcsecproc\spoolsv.exe	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
File opened for modification	C:\Windows\System32\ActiveHours\sihost.exe	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
File created	C:\Windows\System32\hhsetup\sihost.exe	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
File created	C:\Windows\System32\hhsetup\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
File created	C:\Windows\System32\prntvpt\RuntimeBroker.exe	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
File created	C:\Windows\System32\ActiveHours\sihost.exe	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
File created	C:\Windows\System32\wimserv\e1ef82546f0b02b7e974f28047f3788b1128cce1	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
File created	C:\Windows\System32\SettingsHandlers_Flights\e1ef82546f0b02b7e974f28047f3788b1128cce1	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
File opened for modification	C:\Windows\System32\prntvpt\RuntimeBroker.exe	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
File created	C:\Windows\System32\winipcsecproc\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
File created	C:\Windows\System32\winrm\RuntimeBroker.exe	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
File created	C:\Windows\System32\wlidres\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
File created	C:\Windows\System32\wimserv\SppExtComObj.exe	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
File created	C:\Windows\System32\winrm\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
File created	C:\Windows\System32\wlidres\RuntimeBroker.exe	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
File created	C:\Windows\System32\ActiveHours\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
File created	C:\Windows\System32\msdtcVSp1res\spoolsv.exe	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
File created	C:\Windows\System32\msdtcVSp1res\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
File created	C:\Windows\System32\SettingsHandlers_Flights\SppExtComObj.exe	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\sysmon.exe	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
File created	C:\Program Files\ModifiableWindowsApps\JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\22eafd247d37c30fed3795ee41d259ec72bb351c	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4804	schtasks.exe
1408	schtasks.exe
2688	schtasks.exe
2456	schtasks.exe
4536	schtasks.exe
3616	schtasks.exe
3436	schtasks.exe
1608	schtasks.exe
5096	schtasks.exe
5044	schtasks.exe
4960	schtasks.exe
3604	schtasks.exe
4132	schtasks.exe
4680	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1240	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
4292	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
5048	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe
3820	services.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Token: SeDebugPrivilege	4292	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Token: SeDebugPrivilege	5048	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
Token: SeDebugPrivilege	3820	services.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 4464	1240	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe	90
PID 1240 wrote to memory of 4464	1240	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe	90
PID 4464 wrote to memory of 2756	4464	cmd.exe	92
PID 4464 wrote to memory of 2756	4464	cmd.exe	92
PID 4464 wrote to memory of 4292	4464	cmd.exe	93
PID 4464 wrote to memory of 4292	4464	cmd.exe	93
PID 4292 wrote to memory of 4516	4292	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe	98
PID 4292 wrote to memory of 4516	4292	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe	98
PID 4516 wrote to memory of 3492	4516	cmd.exe	100
PID 4516 wrote to memory of 3492	4516	cmd.exe	100
PID 4516 wrote to memory of 5048	4516	cmd.exe	102
PID 4516 wrote to memory of 5048	4516	cmd.exe	102
PID 5048 wrote to memory of 1716	5048	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe	108
PID 5048 wrote to memory of 1716	5048	JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe	108
PID 1716 wrote to memory of 3076	1716	cmd.exe	110
PID 1716 wrote to memory of 3076	1716	cmd.exe	110
PID 1716 wrote to memory of 3820	1716	cmd.exe	112
PID 1716 wrote to memory of 3820	1716	cmd.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe"
1⤵
- DcRat
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IkhZ2KyQqS.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2756
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe"
    3⤵
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ah1HAoUpid.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4516
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:3492
    - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe"
        5⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5048
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kjc7Aakhi7.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3076
        
        C:\PerfLogs\services.exe
        
        "C:\PerfLogs\services.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\prntvpt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\winipcsecproc\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\winrm\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\wlidres\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\ActiveHours\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\msdtcVSp1res\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Documents and Settings\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\wimserv\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\PerfLogs\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PerfLogs\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\SettingsHandlers_Flights\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\hhsetup\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\JaffaCakes118_c07cdd8d27b5b968b06166ceddcfd35a.exe.log

Filesize
1KB

MD5
b7c0c43fc7804baaa7dc87152cdc9554

SHA1
1bab62bd56af745678d4e967d91e1ccfdeed4038

SHA256
46386a61f3aaf1b1c2e6efc9fc7e9e9ff16cd13ae58b8d856835771fedb6d457

SHA512
9fda3dd00a3406137e0113f13f78e77b20a76512b35820d38df696842cbbf2e2ebabfb99a3846c9637ecb54af858ec1551521187e379872973006426a253f769

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkhZ2KyQqS.bat

Filesize
248B

MD5
4022d10089542ab90cfeb0bde498dc63

SHA1
cd78e6115d499b74fbbbb672f918f491c16e9210

SHA256
fe4bd97f62e649c3547c157fef9571fe172650ae743e9cd4fc36455af7ea7c37

SHA512
30e82f4d6e5ebb857f50e0485a135d53af6030151277939cba08160b8ee22b83d54acc4c8a1b51c2ac5ec96a4df67872607e7b0b181b0c40c303e8a7071c14f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kjc7Aakhi7.bat

Filesize
188B

MD5
fe2eef556651ba2b0cae01b894c0a95d

SHA1
b8aa083036d5e6daa38b2f66fde65cb2a1395c7d

SHA256
ebe754b9952acb8fafb0792d54cf8a8f1568ee7f4200ebc74759557bba7694c4

SHA512
b851d4babe549504a81fa60b223120a708476025e24b2e004b1627a9ead798d582089028d3bc1845f179b6e756fbba276ae4e6d2d4a73628e9ce13278a2fb3f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ah1HAoUpid.bat

Filesize
248B

MD5
f5afd4b74542a9786b95fd78fd1ae4fa

SHA1
b9fff46c4b1d9ecae5c8fe205b6ec6d277d8a5fe

SHA256
805d3d37e5e195d1a90a368ad5539f28731120b1359c489d42e33723a9f79c22

SHA512
d2e83efa8a30f21d1ab32352efe12215a02ac666f55685708a4a11d30a00c98678a4883c2c206365ef302341d855a3f9f16b4a000fcb875eb07a2ef6e71f0b08

Download Submit
C:\Windows\System32\wlidres\RuntimeBroker.exe

Filesize
2.0MB

MD5
c07cdd8d27b5b968b06166ceddcfd35a

SHA1
419905135ad7276f36edd5654ff50643875d52b3

SHA256
6b350fefc7d6ca79ca3e4cef39b4e71e7459d98ef213693ae3cec2c1b1d03863

SHA512
01ddba53ed10452aeefde7aa2bcb289d75d5ce90fe0771183d5abc5f3a178d20b5495381084e75e858130bf31dbdd33edf82d51c96d1e4a99ee4c21bf97327ed

Download Submit
memory/1240-18-0x00007FFF8B110000-0x00007FFF8BBD1000-memory.dmp

Filesize
10.8MB

Download
memory/1240-0-0x00007FFF8B113000-0x00007FFF8B115000-memory.dmp

Filesize
8KB

Download
memory/1240-4-0x00007FFF8B110000-0x00007FFF8BBD1000-memory.dmp

Filesize
10.8MB

Download
memory/1240-1-0x0000000000FB0000-0x00000000011C2000-memory.dmp

Filesize
2.1MB

Download
memory/3820-52-0x000000001B9F0000-0x000000001B9FE000-memory.dmp

Filesize
56KB

Download
memory/3820-53-0x000000001BD00000-0x000000001BD56000-memory.dmp

Filesize
344KB

Download
memory/3820-54-0x000000001BD50000-0x000000001BD5A000-memory.dmp

Filesize
40KB

Download
memory/3820-55-0x000000001BD60000-0x000000001BD68000-memory.dmp

Filesize
32KB

Download
memory/3820-56-0x000000001BDB0000-0x000000001BDBC000-memory.dmp

Filesize
48KB

Download
memory/3820-57-0x000000001BDA0000-0x000000001BDA8000-memory.dmp

Filesize
32KB

Download
memory/3820-58-0x000000001BD70000-0x000000001BD78000-memory.dmp

Filesize
32KB

Download