Overview

overview

10

Static

static

10

JaffaCakes...47.exe

windows7-x64

10

JaffaCakes...47.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2025 07:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_de80b75daf9e3549c0d61166fbe0f147.exe

  • Size

    2.0MB

  • MD5

    de80b75daf9e3549c0d61166fbe0f147

  • SHA1

    445c7a4e543c319dff09d12b77b9aa33bfccc5ff

  • SHA256

    7a89d7167264d77656b8cac1cef82a3e16f3dd51d679b178833a953a5cb11235

  • SHA512

    83f8b92ef215e0398ee38963bcedce1590384b0f1a8f17cb09749c887c78ede374890965a01cb475ac0794a4eafb5ac7c0b48e347a6df7eda58b2fe1cbe657d1

  • SSDEEP

    49152:cwj3o71JZAB3jBn8cjcdPH/+yDMu3JgHzCueUTG:cBLZABTF8Ic94u3YveX

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_de80b75daf9e3549c0d61166fbe0f147.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_de80b75daf9e3549c0d61166fbe0f147.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\System32\bdeui\spoolsv.exe
      "C:\Windows\System32\bdeui\spoolsv.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4644
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\bdeui\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1584
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\imapi\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2632
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\gb2312\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:976
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\FXST30\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4036
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\ProgramData\SoftwareDistribution\backgroundTaskHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:5072
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\SoftwareDistribution\backgroundTaskHost.exe
    Filesize

    2.0MB

    MD5

    de80b75daf9e3549c0d61166fbe0f147

    SHA1

    445c7a4e543c319dff09d12b77b9aa33bfccc5ff

    SHA256

    7a89d7167264d77656b8cac1cef82a3e16f3dd51d679b178833a953a5cb11235

    SHA512

    83f8b92ef215e0398ee38963bcedce1590384b0f1a8f17cb09749c887c78ede374890965a01cb475ac0794a4eafb5ac7c0b48e347a6df7eda58b2fe1cbe657d1

    Download Submit

  • memory/2260-0-0x00007FF940713000-0x00007FF940715000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2260-1-0x0000000000100000-0x000000000030E000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2260-4-0x00007FF940710000-0x00007FF9411D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2260-26-0x00007FF940710000-0x00007FF9411D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4644-29-0x00000000029E0000-0x00000000029E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4644-27-0x00000000029A0000-0x00000000029AC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4644-30-0x0000000002A20000-0x0000000002A76000-memory.dmp

    Filesize

    344KB

    Download

  • memory/4644-28-0x00000000029B0000-0x00000000029B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4644-32-0x0000000002AB0000-0x0000000002ABC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4644-33-0x0000000002A80000-0x0000000002A88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4644-34-0x0000000002A00000-0x0000000002A08000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4644-31-0x00000000029F0000-0x00000000029F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4644-36-0x0000000002A90000-0x0000000002A98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4644-35-0x0000000002A70000-0x0000000002A78000-memory.dmp

    Filesize

    32KB

    Download