General
-
Target
JaffaCakes118_d2887b8a1e477a97c84e4b126cb360a3
-
Size
1.1MB
-
Sample
250109-z3h6bs1nfw
-
MD5
d2887b8a1e477a97c84e4b126cb360a3
-
SHA1
8fb6cdbc31616bd460e703b5bcb77367321c5c8a
-
SHA256
ecfdb52196e58db344d66e7ec2e65cb589315dd7bed55bc2a0fe6afe86898433
-
SHA512
0691b082aba27120413d99749edd4da34e39488ec3da3e325c93dd36a64b725e7d1623b62b87f4a1b064ee42c2c60e05f0d6d0f7520e81b8b7753820446a667b
-
SSDEEP
12288:s4tUwqOjgrbMHiYVNtdE50qoc+vFqa/out/vsQJktVXN/JEqII1ZpvxIBGLEqqn4:zGfgcsVTdE507cQtHpq/KKvxUGLF+4
Malware Config
Targets
-
-
Target
JaffaCakes118_d2887b8a1e477a97c84e4b126cb360a3
-
Size
1.1MB
-
MD5
d2887b8a1e477a97c84e4b126cb360a3
-
SHA1
8fb6cdbc31616bd460e703b5bcb77367321c5c8a
-
SHA256
ecfdb52196e58db344d66e7ec2e65cb589315dd7bed55bc2a0fe6afe86898433
-
SHA512
0691b082aba27120413d99749edd4da34e39488ec3da3e325c93dd36a64b725e7d1623b62b87f4a1b064ee42c2c60e05f0d6d0f7520e81b8b7753820446a667b
-
SSDEEP
12288:s4tUwqOjgrbMHiYVNtdE50qoc+vFqa/out/vsQJktVXN/JEqII1ZpvxIBGLEqqn4:zGfgcsVTdE507cQtHpq/KKvxUGLF+4
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1