Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
10-01-2025 23:34
General
-
Target
JaffaCakes118_f1342761444e6e47af7046bc2db0719a.exe
-
Size
2.4MB
-
MD5
f1342761444e6e47af7046bc2db0719a
-
SHA1
d189131f9d477bc4fa4524e1fd2521fb49887811
-
SHA256
65730273fac03a90f29ce7f8d9b5275604a26b33267d1604cab394150dc7c160
-
SHA512
97bd8769c85b93f97218af456e45862806b5f75e25647c72f1de01bf65599be9b4d597f875ee0843d9390d2d8d1520dee12cf0baedd572da5a8dfd5d4ac16314
-
SSDEEP
49152:PbA3uqwj3o71JZAB3jBn8cjcdPH/+yDMu3JgHzCueUTG4:PbMBLZABTF8Ic94u3YveX4
Malware Config
Signatures
-
DcRat 10 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 9 IoCs
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 3 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 18 IoCs
-
Drops file in System32 directory 6 IoCs
-
Drops file in Program Files directory 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f1342761444e6e47af7046bc2db0719a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f1342761444e6e47af7046bc2db0719a.exe"1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Perfmonitor\lNQQOstPqxiFMmsYvmB.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Perfmonitor\O0mpFdbBjdm7srZfGtzhIPYG.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Perfmonitor\Perfmonitorfontinto.exe"C:\Perfmonitor\Perfmonitorfontinto.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6l3dIJAdNE.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Windows\SysWOW64\ds32gt\cmd.exe"C:\Windows\SysWOW64\ds32gt\cmd.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\ds32gt\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\audiosrv\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\PNPXAssoc\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD50766bee941f5489c2a24060aa12da278
SHA1cc8dd7a812c5089f9ee259e0b877e33e2246203a
SHA25602b87d654cc308a9628dbce66d9a5c2585eeaf85dbecadd02bea72116f2c4967
SHA512c77bf28da7ea054152974b281de47d7d64e73eb66af96613fffbbaeffbb65a266ee7e5cfc0460cdc1ff220e7d7397241c3d3293d5d64784ed73181b17d41799e
-
Filesize
2.0MB
MD5de80b75daf9e3549c0d61166fbe0f147
SHA1445c7a4e543c319dff09d12b77b9aa33bfccc5ff
SHA2567a89d7167264d77656b8cac1cef82a3e16f3dd51d679b178833a953a5cb11235
SHA51283f8b92ef215e0398ee38963bcedce1590384b0f1a8f17cb09749c887c78ede374890965a01cb475ac0794a4eafb5ac7c0b48e347a6df7eda58b2fe1cbe657d1
-
Filesize
212B
MD5c8e9ef06df615850dd97024f6b0afd27
SHA14b52ceec0e0daa0569cf8d4538cfd1ffa6cd6151
SHA2561b2e5af3efd2f7d71c218fb9843ddc8ceae4af239559f928f4841d90a2e14ad1
SHA512351901ded3974d2b25b832d3880a174ba9d4ff7f1c7b1f0246545007d67bc180b9a255106446a7a8e404fd1eac8a833c62b2a2581d312d6e80fbc7a6cd24ed32
-
Filesize
198B
MD5baa87d1a0c31cd7cf3d3b176e7aef836
SHA17790237768b571b4572a4e508e3247dbc76c4f8b
SHA25651957a2afab9dc6d4306c265dd4677a0725db9452e76ccfb5c9b24928ad40e52
SHA5128cbcc501fd1c6ff7a9275bc64d7f206222aac09ec3f80212a71b2084ff9e224168fb1eabdfe188b0cd3a58b117439bddb77476d9f8df75d9145ff67135dd177c
-
Filesize
32KB
-
Filesize
2.1MB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
344KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
2.1MB