General
-
Target
e4be72eaed83102b4f86ba0c179ad73b_JaffaCakes118
-
Size
154KB
-
Sample
240407-mvvg6sba3t
-
MD5
e4be72eaed83102b4f86ba0c179ad73b
-
SHA1
abe62fe3d5ba15412953f1579d0b85194827fba2
-
SHA256
556788d05397a55d033825002b4ff0e3d1ed4787c1077570f6a78d06d50e6a1d
-
SHA512
362858992b49271beeb35871c01d272686272ff3b23fc86d3ee9ebfef5d1ad608add0b867a1616f265dab4683e28ad6a467dc30e6ccd1c19d76a4a300be59a38
-
SSDEEP
3072:Tjl5OJjtBvw9riwu00V9oPYTLyWetx8BKpe8cSlsiz9j:TjjIjtBI9+wu0M9oPYSNt9b
Static task
static1
Behavioral task
behavioral1
Sample
e4be72eaed83102b4f86ba0c179ad73b_JaffaCakes118.exe
Resource
win7-20240221-en
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Targets
-
-
Target
e4be72eaed83102b4f86ba0c179ad73b_JaffaCakes118
-
Size
154KB
-
MD5
e4be72eaed83102b4f86ba0c179ad73b
-
SHA1
abe62fe3d5ba15412953f1579d0b85194827fba2
-
SHA256
556788d05397a55d033825002b4ff0e3d1ed4787c1077570f6a78d06d50e6a1d
-
SHA512
362858992b49271beeb35871c01d272686272ff3b23fc86d3ee9ebfef5d1ad608add0b867a1616f265dab4683e28ad6a467dc30e6ccd1c19d76a4a300be59a38
-
SSDEEP
3072:Tjl5OJjtBvw9riwu00V9oPYTLyWetx8BKpe8cSlsiz9j:TjjIjtBI9+wu0M9oPYSNt9b
-
Detect XtremeRAT payload
-
Modifies firewall policy service
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Modifies Installed Components in the registry
-
Deletes itself
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
7Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3