General

  • Target

    351c5d3f4ad16a00636b6f4121ad6198_JaffaCakes118

  • Size

    221KB

  • Sample

    240710-rsz24ashqp

  • MD5

    351c5d3f4ad16a00636b6f4121ad6198

  • SHA1

    627eb7eca4119da150ae860e56c554ddf361c8dc

  • SHA256

    35390d60f4b4adb5c015137b8831c74dac5d06c1a211635faf89fc3cde4b1e69

  • SHA512

    83633ef8e7ef6a69437260466833a6f188707d0bb6d18ded139aa19a3a12559d965721124307edcbc39670804b58766624a4d9df754d1df3c8fb017622ae0780

  • SSDEEP

    6144:yxXUMzzCyMIBlhcODcnVW5GJZ2tNYLj8MfsQxuMGkk:yBk1oDUVzYKj86sQykk

Malware Config

Extracted

Family

xtremerat

C2

tornadozz.no-ip.org

Targets

    • Target

      351c5d3f4ad16a00636b6f4121ad6198_JaffaCakes118

    • Size

      221KB

    • MD5

      351c5d3f4ad16a00636b6f4121ad6198

    • SHA1

      627eb7eca4119da150ae860e56c554ddf361c8dc

    • SHA256

      35390d60f4b4adb5c015137b8831c74dac5d06c1a211635faf89fc3cde4b1e69

    • SHA512

      83633ef8e7ef6a69437260466833a6f188707d0bb6d18ded139aa19a3a12559d965721124307edcbc39670804b58766624a4d9df754d1df3c8fb017622ae0780

    • SSDEEP

      6144:yxXUMzzCyMIBlhcODcnVW5GJZ2tNYLj8MfsQxuMGkk:yBk1oDUVzYKj86sQykk

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks