General

  • Target

    34e9e7f182e24d5d498585f742749121_JaffaCakes118

  • Size

    428KB

  • Sample

    240710-qq5dcssgke

  • MD5

    34e9e7f182e24d5d498585f742749121

  • SHA1

    1d35554a4c5c10fc1b13fbd1891e8f171ed66176

  • SHA256

    d7097c3406e386825e38053755df92e624faa0903665ffc1d61d2a7d450f8707

  • SHA512

    5afa1b682a0f66f36536963244b6f30c4dce3c8bc0c363997e33283c1be3b605287a656954c5174454178c6b045c6d3f4f87e6e3c6150c76a9ef24d0e75cecb0

  • SSDEEP

    12288:SfK7ha1V4vpqRMvd4YKB7V5mect1EOmFlLYTfXOYwPfDv7Upy+77UXw8gdUYHoKZ:SfK7ha1V4vpquvd4YKB7V5mec/EjYTfV

Malware Config

Extracted

Family

xtremerat

C2

rabah1627.zapto.org

Targets

    • Target

      34e9e7f182e24d5d498585f742749121_JaffaCakes118

    • Size

      428KB

    • MD5

      34e9e7f182e24d5d498585f742749121

    • SHA1

      1d35554a4c5c10fc1b13fbd1891e8f171ed66176

    • SHA256

      d7097c3406e386825e38053755df92e624faa0903665ffc1d61d2a7d450f8707

    • SHA512

      5afa1b682a0f66f36536963244b6f30c4dce3c8bc0c363997e33283c1be3b605287a656954c5174454178c6b045c6d3f4f87e6e3c6150c76a9ef24d0e75cecb0

    • SSDEEP

      12288:SfK7ha1V4vpqRMvd4YKB7V5mect1EOmFlLYTfXOYwPfDv7Upy+77UXw8gdUYHoKZ:SfK7ha1V4vpquvd4YKB7V5mec/EjYTfV

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks