Overview

overview

10

Static

static

3

JaffaCakes...2a.exe

windows7-x64

10

JaffaCakes...2a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-01-2025 13:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_c95ac454cf5cab75cd487ccb82ee5d2a.exe

  • Size

    3.3MB

  • MD5

    c95ac454cf5cab75cd487ccb82ee5d2a

  • SHA1

    5098362ca55b5c1b4e22685f5a3fd7d2752df2e9

  • SHA256

    91704a8d50393554e16e3cb1c4323a1ac3fd69ec86c503f86cf2736965abea3b

  • SHA512

    782cb16c300eb5dad7862772aa6072224884349f64de5e876ce59bd2d7cf6ecaf4ffd096c3fb825404821394538f6950990c19b26182cdd4ef29f2bed331f8ce

  • SSDEEP

    98304:jLozdB/qu2Ae/tYgFgYYU9xA+X6PwBZ9McLu:vozdYBYU9UwBZDu

Score
10/10
dcratbootkitdiscoveryevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat 14 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 10 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 3 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 11 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c95ac454cf5cab75cd487ccb82ee5d2a.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c95ac454cf5cab75cd487ccb82ee5d2a.exe"
    1⤵
    • DcRat
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uBMujHlZ86.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\SysWOW64\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3000
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          4⤵
            PID:2968
        • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c95ac454cf5cab75cd487ccb82ee5d2a.exe
          "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c95ac454cf5cab75cd487ccb82ee5d2a.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Writes to the Master Boot Record (MBR)
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2620
          • C:\MSOCache\All Users\explorer.exe
            "C:\MSOCache\All Users\explorer.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Checks whether UAC is enabled
            • Writes to the Master Boot Record (MBR)
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1728
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2716
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\wmpps\lsass.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2848
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\netbios\smss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3060
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\NlsData004e\csrss.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1108
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1548
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\C_10002\lsm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2908
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2924
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\lsm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2024
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\korean\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2928

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Pre-OS Boot

    1
    T1542

    Bootkit

    1
    T1542.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Modify Registry

    1
    T1112

    Pre-OS Boot

    1
    T1542

    Bootkit

    1
    T1542.003

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Discovery

    Query Registry

    4
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Virtualization/Sandbox Evasion

    2
    T1497

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\explorer.exe
      Filesize

      3.3MB

      MD5

      c95ac454cf5cab75cd487ccb82ee5d2a

      SHA1

      5098362ca55b5c1b4e22685f5a3fd7d2752df2e9

      SHA256

      91704a8d50393554e16e3cb1c4323a1ac3fd69ec86c503f86cf2736965abea3b

      SHA512

      782cb16c300eb5dad7862772aa6072224884349f64de5e876ce59bd2d7cf6ecaf4ffd096c3fb825404821394538f6950990c19b26182cdd4ef29f2bed331f8ce

      Download Submit

    • C:\ProgramData\mntemp
      Filesize

      16B

      MD5

      f08fafc6e9da6af1aa9a2f3814c5f900

      SHA1

      7f7630cbdaed1d187655a901c988e85d923ee8d3

      SHA256

      f65f6f16daef6659c359934a2307c8a75a180aec06c0fe6bb35bdca4cbf44227

      SHA512

      f1dafc7a72bcb3b1e4247be67e0b3d67dfff59a494d17a4501a620dec3cbefee694e02408e483a06cb81dd36369493e755c9d4d06240f1d7059a97dc7c29820c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\6b47530fed616ea274ab4cbafdd494e0bd3cb4de3ddfe47bce8ce7ecac829aad996a7761ee1605d1
      Filesize

      536B

      MD5

      0f2cf4cfa8f34ad1d0945067fdaa9a83

      SHA1

      237f76486d7751cbcbb4ce9ebe308bfb6f28576a

      SHA256

      b11025697c5e2a2a9fc264c4fb0a96820d6d89d058c15e481f554388e94a36e7

      SHA512

      2d00a027e44a9f139ddefc814551f74288fb95b24c448809407288c80ca983d974cb40646618c8f685a3b625a9c6fc70af2b27b8f203c3716aa95333550040e4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\uBMujHlZ86.bat
      Filesize

      248B

      MD5

      672497588b073b42480236aab50c2279

      SHA1

      08c7ab97814c7f6cf063b011e61451322081cd5d

      SHA256

      68c93dc9d8278a416bfa15319408e938703b17c3a849648d4995c07679251f06

      SHA512

      d4a8d72f5629997d5cff29de7227b20f6a5647faa2b4cb313d9bbbd6e57690cd1d373fe9b492caed8ff6ede6b44f0dba4bca1f89a12b2c25ab467b916e71683a

      Download Submit

    • memory/1708-0-0x0000000000AD0000-0x00000000012C8000-memory.dmp

      Filesize

      8.0MB

      Download

    • memory/1708-3-0x0000000000AD0000-0x00000000012C8000-memory.dmp

      Filesize

      8.0MB

      Download

    • memory/1708-2-0x0000000000AD0000-0x00000000012C8000-memory.dmp

      Filesize

      8.0MB

      Download

    • memory/1708-17-0x0000000000AD0000-0x00000000012C8000-memory.dmp

      Filesize

      8.0MB

      Download

    • memory/1728-60-0x0000000000610000-0x0000000000618000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1728-59-0x0000000000600000-0x000000000060C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1728-67-0x0000000001150000-0x0000000001948000-memory.dmp

      Filesize

      8.0MB

      Download

    • memory/1728-61-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1728-56-0x0000000000310000-0x000000000031E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1728-58-0x00000000005F0000-0x00000000005F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1728-57-0x0000000000840000-0x0000000000896000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1728-52-0x0000000001150000-0x0000000001948000-memory.dmp

      Filesize

      8.0MB

      Download

    • memory/1728-53-0x0000000001150000-0x0000000001948000-memory.dmp

      Filesize

      8.0MB

      Download

    • memory/1728-54-0x00000000002D0000-0x00000000002DC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1728-55-0x00000000002F0000-0x00000000002F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2620-47-0x0000000006AB0000-0x00000000072A8000-memory.dmp

      Filesize

      8.0MB

      Download

    • memory/2620-50-0x00000000012B0000-0x0000000001AA8000-memory.dmp

      Filesize

      8.0MB

      Download

    • memory/2620-48-0x0000000006AB0000-0x00000000072A8000-memory.dmp

      Filesize

      8.0MB

      Download

    • memory/2620-22-0x00000000012B0000-0x0000000001AA8000-memory.dmp

      Filesize

      8.0MB

      Download

    • memory/2620-21-0x00000000012B0000-0x0000000001AA8000-memory.dmp

      Filesize

      8.0MB

      Download

    • memory/2620-19-0x00000000012B0000-0x0000000001AA8000-memory.dmp

      Filesize

      8.0MB

      Download

    • memory/2644-18-0x0000000002360000-0x0000000002B58000-memory.dmp

      Filesize

      8.0MB

      Download