General

  • Target

    3f3e33c26d70278d1fcebc64856d05e8_JaffaCakes118

  • Size

    793KB

  • Sample

    240712-25w63svcnl

  • MD5

    3f3e33c26d70278d1fcebc64856d05e8

  • SHA1

    42f2a40a727b58a8d50d74f27fd8432b8c571b63

  • SHA256

    1d5a871ef2b2520762debaadff289f99eb901931c990e1f0d26e0f95efccb29e

  • SHA512

    1b7b2f477825b8e083a7f0c76a8f4fa6c685bb9eee37e4672095693e12c1a8a6076785f31fd8ec980acec3dc39367e44eda79d660336a7380371faf9e061a6b3

  • SSDEEP

    12288:LhhSJRyeHyKAhIV4IoSoJze68PvanRJkHVphYJGTaTFxfj5VtEByClkRqTzd:LqyeHypU4RJK007QGTojfjzw

Malware Config

Extracted

Family

xtremerat

C2

nerozhack.ddns.com.br

€p ƒalonedevil.no-ip.org

gameszero.dyndns.org

Targets

    • Target

      3f3e33c26d70278d1fcebc64856d05e8_JaffaCakes118

    • Size

      793KB

    • MD5

      3f3e33c26d70278d1fcebc64856d05e8

    • SHA1

      42f2a40a727b58a8d50d74f27fd8432b8c571b63

    • SHA256

      1d5a871ef2b2520762debaadff289f99eb901931c990e1f0d26e0f95efccb29e

    • SHA512

      1b7b2f477825b8e083a7f0c76a8f4fa6c685bb9eee37e4672095693e12c1a8a6076785f31fd8ec980acec3dc39367e44eda79d660336a7380371faf9e061a6b3

    • SSDEEP

      12288:LhhSJRyeHyKAhIV4IoSoJze68PvanRJkHVphYJGTaTFxfj5VtEByClkRqTzd:LqyeHypU4RJK007QGTojfjzw

    • Detect XtremeRAT payload

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • UAC bypass

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • ModiLoader Second Stage

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks