General

  • Target

    697632f4dc1850e4cbeb36912a4c3044_JaffaCakes118

  • Size

    40KB

  • Sample

    240523-c2cktsag3y

  • MD5

    697632f4dc1850e4cbeb36912a4c3044

  • SHA1

    d2a4b6478ad76bb0784741699143bd8fab4bddc8

  • SHA256

    359494a1e51ed9fc759c0a511b93ea8d18ff0b7d7c3ec51d5691a92a94b18418

  • SHA512

    c0414ade80d5420a1210b98cdf2af3407a7ee6696e47c3a37cd7dec8b0de780d41385bbe160b67b66cc7978114a8810c9978e06478f8acb9988953be403027db

  • SSDEEP

    768:3E9hghdN12Ozhiow2Gkm6+c3//UxC9PCzo+:3u+zMOlw2GkmS3Tmo

Malware Config

Targets

    • Target

      697632f4dc1850e4cbeb36912a4c3044_JaffaCakes118

    • Size

      40KB

    • MD5

      697632f4dc1850e4cbeb36912a4c3044

    • SHA1

      d2a4b6478ad76bb0784741699143bd8fab4bddc8

    • SHA256

      359494a1e51ed9fc759c0a511b93ea8d18ff0b7d7c3ec51d5691a92a94b18418

    • SHA512

      c0414ade80d5420a1210b98cdf2af3407a7ee6696e47c3a37cd7dec8b0de780d41385bbe160b67b66cc7978114a8810c9978e06478f8acb9988953be403027db

    • SSDEEP

      768:3E9hghdN12Ozhiow2Gkm6+c3//UxC9PCzo+:3u+zMOlw2GkmS3Tmo

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks