dcrat | 3fe87dde7e2f707307d03115bf5aad1ad08ee11d8f9b4ce28579a54be834fbd6

General

Target

JaffaCakes118_dfc81712a62d2f2852ea631060a9ee91.exe
Size

1.5MB
MD5

dfc81712a62d2f2852ea631060a9ee91
SHA1

c6ed37c61d3b143e66b4abb53cccc4db1b0c61d1
SHA256

3fe87dde7e2f707307d03115bf5aad1ad08ee11d8f9b4ce28579a54be834fbd6
SHA512

1f3460a22cd25ed57056a4fae119ccf5ba983c4151b092759c84f30adeeb199b22af0a1caf5709f924b2b8190756aeca9757576ba95ed5bec705c5e3d393b832
SSDEEP

24576:T2G/nvxW3W7/okMlI4tH7Da3x1VStiA7iw63VboDAJDyL+qq+aWTIN+4H:TbA3m/oosbwswq63IEUI

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat 6 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2580	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		JaffaCakes118_dfc81712a62d2f2852ea631060a9ee91.exe
		2672	schtasks.exe
		2412	schtasks.exe
		2668	schtasks.exe
		2740	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2800	schtasks.exe	34

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000186c8-9.dat	dcrat
behavioral1/memory/2056-13-0x0000000000E60000-0x0000000000F4C000-memory.dmp	dcrat
behavioral1/memory/1176-31-0x0000000000C50000-0x0000000000D3C000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2056	driverintoperfCommonsessiondll.exe
1176	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2480	cmd.exe
2480	cmd.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Microsoft Games\\Hearts\\it-IT\\explorer.exe\""	driverintoperfCommonsessiondll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\clb\\dwm.exe\""	driverintoperfCommonsessiondll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\winusb\\sppsvc.exe\""	driverintoperfCommonsessiondll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\iscsicli\\conhost.exe\""	driverintoperfCommonsessiondll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\deskperf\\lsm.exe\""	driverintoperfCommonsessiondll.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\iscsicli\088424020bedd6b28ac7fd22ee35dcd7322895ce	driverintoperfCommonsessiondll.exe
File created	C:\Windows\System32\deskperf\lsm.exe	driverintoperfCommonsessiondll.exe
File created	C:\Windows\System32\deskperf\101b941d020240259ca4912829b53995ad543df6	driverintoperfCommonsessiondll.exe
File created	C:\Windows\System32\clb\dwm.exe	driverintoperfCommonsessiondll.exe
File created	C:\Windows\System32\clb\6cb0b6c459d5d3455a3da700e713f2e2529862ff	driverintoperfCommonsessiondll.exe
File created	C:\Windows\System32\winusb\sppsvc.exe	driverintoperfCommonsessiondll.exe
File created	C:\Windows\System32\winusb\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c	driverintoperfCommonsessiondll.exe
File created	C:\Windows\System32\iscsicli\conhost.exe	driverintoperfCommonsessiondll.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Hearts\it-IT\explorer.exe	driverintoperfCommonsessiondll.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\explorer.exe	driverintoperfCommonsessiondll.exe
File created	C:\Program Files\Microsoft Games\Hearts\it-IT\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	driverintoperfCommonsessiondll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_dfc81712a62d2f2852ea631060a9ee91.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2668	schtasks.exe
2740	schtasks.exe
2580	schtasks.exe
2672	schtasks.exe
2412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2056	driverintoperfCommonsessiondll.exe
1176	conhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	driverintoperfCommonsessiondll.exe
Token: SeDebugPrivilege	1176	conhost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2500	2508	JaffaCakes118_dfc81712a62d2f2852ea631060a9ee91.exe	30
PID 2508 wrote to memory of 2500	2508	JaffaCakes118_dfc81712a62d2f2852ea631060a9ee91.exe	30
PID 2508 wrote to memory of 2500	2508	JaffaCakes118_dfc81712a62d2f2852ea631060a9ee91.exe	30
PID 2508 wrote to memory of 2500	2508	JaffaCakes118_dfc81712a62d2f2852ea631060a9ee91.exe	30
PID 2500 wrote to memory of 2480	2500	WScript.exe	31
PID 2500 wrote to memory of 2480	2500	WScript.exe	31
PID 2500 wrote to memory of 2480	2500	WScript.exe	31
PID 2500 wrote to memory of 2480	2500	WScript.exe	31
PID 2480 wrote to memory of 2056	2480	cmd.exe	33
PID 2480 wrote to memory of 2056	2480	cmd.exe	33
PID 2480 wrote to memory of 2056	2480	cmd.exe	33
PID 2480 wrote to memory of 2056	2480	cmd.exe	33
PID 2056 wrote to memory of 2976	2056	driverintoperfCommonsessiondll.exe	40
PID 2056 wrote to memory of 2976	2056	driverintoperfCommonsessiondll.exe	40
PID 2056 wrote to memory of 2976	2056	driverintoperfCommonsessiondll.exe	40
PID 2976 wrote to memory of 2228	2976	cmd.exe	42
PID 2976 wrote to memory of 2228	2976	cmd.exe	42
PID 2976 wrote to memory of 2228	2976	cmd.exe	42
PID 2976 wrote to memory of 1176	2976	cmd.exe	44
PID 2976 wrote to memory of 1176	2976	cmd.exe	44
PID 2976 wrote to memory of 1176	2976	cmd.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfc81712a62d2f2852ea631060a9ee91.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfc81712a62d2f2852ea631060a9ee91.exe"
1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\driverintoperfCommon\cnLEOZ0Cs77BjiYBoldKr4XhBkP7.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\driverintoperfCommon\CAvx95pfV2AM7XiAa.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\driverintoperfCommon\driverintoperfCommonsessiondll.exe
      "C:\driverintoperfCommon\driverintoperfCommonsessiondll.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ptbK1nYdC5.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2228
      - C:\Windows\System32\iscsicli\conhost.exe
        
        "C:\Windows\System32\iscsicli\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Hearts\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\clb\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\winusb\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\iscsicli\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\deskperf\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ptbK1nYdC5.bat

Filesize
204B

MD5
28a9f32bd2b9b7b09efa32c61b736fc8

SHA1
6670f3c921385c892255c031705a156bd300f05c

SHA256
23c7ab55b1f0df1285e1b5102eef4d9b45a79055aebb919f78e521bcadbe1527

SHA512
763f8228bb0dac39ce11c61311bbf1c68ca4a7e563be99548b26b098900a29e64ed5e8a7772b9183f4ec6949154bf873f5f2a6e68de3ef3a03b5e0fe7f006ead

Download Submit
C:\driverintoperfCommon\CAvx95pfV2AM7XiAa.bat

Filesize
60B

MD5
7714e2b53919911e980444b45460395e

SHA1
21cddd2196d4e75bbb2cc7707b94934932680d07

SHA256
6e0f83f0badfed55ce960d3f3b49b742c3f2bf50e36beefd48fdbb2d0b71bc8c

SHA512
2611942f953a7c4deaf4a80863279a309befa69171f2e657a671afc52b9540dbada2b147280ac2af05d71e78802ba56b0cd82bfe8799fcd53805ffa0b828ae03

Download Submit
C:\driverintoperfCommon\cnLEOZ0Cs77BjiYBoldKr4XhBkP7.vbe

Filesize
214B

MD5
bbfc29b101d00fa56d63c01944c2f151

SHA1
432bdc5301e5876aaa53bb2cf5379dc3b1504def

SHA256
4f54c1b2f29bb436b25e7ecd25077ec1e17768ea30319fd7f7bf0e94898ad912

SHA512
341b25874b56d61edc53074043f5a714582751ae60170a57200ea7c02375f9e327149ca0dd980f3afea6a5da79cfeca5aa2b9cf8d4cc08b2f59d9ec195a1e906

Download Submit
\driverintoperfCommon\driverintoperfCommonsessiondll.exe

Filesize
912KB

MD5
7902d7438cd06a2393e97a07fbf53b08

SHA1
6cd4f8d9510d87d2f112cd6be3e92dba29456319

SHA256
9cb41290c48b270282afbcc08569844197c642382bb79d621568fa3ac0ca1439

SHA512
81d167bf915501a286285f6e1f08419c9576713549f3cef6e7dd7954874e9a43e5b1d18e7546fd696afeffcb9f8f43069dd5f11302f12259d83c652b6c5a3cd0

Download Submit
memory/1176-31-0x0000000000C50000-0x0000000000D3C000-memory.dmp

Filesize
944KB

Download
memory/2056-13-0x0000000000E60000-0x0000000000F4C000-memory.dmp

Filesize
944KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads