General

  • Target

    349faf873bf744843321372d136909ab_JaffaCakes118

  • Size

    243KB

  • Sample

    240710-n5kldsycra

  • MD5

    349faf873bf744843321372d136909ab

  • SHA1

    d3bd232c7caa67ef75ee1a748be2538dcf369141

  • SHA256

    5c4946add18f556173a1d39ab8ff9715b87683d076f2c080ea48caf8c380b629

  • SHA512

    7c7cdd4bb4bdadaf8b5c451be152410b1102d9b0556dce6f4b8ba1c6a2f298230ef322378a106c7da1215345972d0917f8611ec4d9ec33460da1c872966e42fc

  • SSDEEP

    3072:XFd2Afoka0uMMGYmKlMCJ+UrxkCkK9a7+Z3wCYdj8vK1HDvhk1eSkDyfCnewUmG7:1jQwuYKs7M3jvEu1nkaCneT3NmEQm

Malware Config

Extracted

Family

xtremerat

C2

umtakcicek.dyndns.org

ࠁ谀umtakcicek.dyndns.org

Targets

    • Target

      349faf873bf744843321372d136909ab_JaffaCakes118

    • Size

      243KB

    • MD5

      349faf873bf744843321372d136909ab

    • SHA1

      d3bd232c7caa67ef75ee1a748be2538dcf369141

    • SHA256

      5c4946add18f556173a1d39ab8ff9715b87683d076f2c080ea48caf8c380b629

    • SHA512

      7c7cdd4bb4bdadaf8b5c451be152410b1102d9b0556dce6f4b8ba1c6a2f298230ef322378a106c7da1215345972d0917f8611ec4d9ec33460da1c872966e42fc

    • SSDEEP

      3072:XFd2Afoka0uMMGYmKlMCJ+UrxkCkK9a7+Z3wCYdj8vK1HDvhk1eSkDyfCnewUmG7:1jQwuYKs7M3jvEu1nkaCneT3NmEQm

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks