Overview

overview

10

Static

static

3

fd66dec349...18.exe

windows7-x64

10

fd66dec349...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fd66dec34900329aae987e3f955e8935_JaffaCakes118

  • Size

    50KB

  • Sample

    240420-xhn5qsff91

  • MD5

    fd66dec34900329aae987e3f955e8935

  • SHA1

    71a837458644e43a44241188dfe8253d37acea57

  • SHA256

    7aea79d102ae1ce0af4e32533d71eb3692cf22eeb97812e2604abde49a4662b0

  • SHA512

    c321fc4a48273de06aef11aa58b3ffe079c61e16037229ffc0bf592a8a309262b0a3ab0239583903ea41b05b4e495a22b4b219b32e1c3df4e8b6e6df0c38b139

  • SSDEEP

    1536:AxFRLVwAC4OjwUBHleAQRjB9efFp1/N9fi:A3pgXbd0jvIfF9i

Score
10/10
xtremeratpersistenceratspywareupx

Malware Config

Extracted

Family

xtremerat

C2

aline.zapto.org

Targets

    • Target

      fd66dec34900329aae987e3f955e8935_JaffaCakes118

    • Size

      50KB

    • MD5

      fd66dec34900329aae987e3f955e8935

    • SHA1

      71a837458644e43a44241188dfe8253d37acea57

    • SHA256

      7aea79d102ae1ce0af4e32533d71eb3692cf22eeb97812e2604abde49a4662b0

    • SHA512

      c321fc4a48273de06aef11aa58b3ffe079c61e16037229ffc0bf592a8a309262b0a3ab0239583903ea41b05b4e495a22b4b219b32e1c3df4e8b6e6df0c38b139

    • SSDEEP

      1536:AxFRLVwAC4OjwUBHleAQRjB9efFp1/N9fi:A3pgXbd0jvIfF9i

    Score
    10/10
    xtremeratpersistenceratspywareupx

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

      persistencespywareratxtremerat

    • Modifies Installed Components in the registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks