General

  • Target

    3f21ad057dcaa0e86ca9df120e92c8d3_JaffaCakes118

  • Size

    113KB

  • Sample

    240712-2fp2gatarp

  • MD5

    3f21ad057dcaa0e86ca9df120e92c8d3

  • SHA1

    5acb0c33c3b69edf81844c444afa8e85e16c8f5e

  • SHA256

    2f674372fa1b3bd2b3c7c8499dd01e1de45e0bbdef7d06912035c9b7b8450a41

  • SHA512

    11c79c421c610899c29489386d7ac6aa6a76e8b96d1e9bed11f9e98d4f5b31474f063ee61eaa491d2173abb6ae798016834a93bd6953dfbf4ded968a9988f44e

  • SSDEEP

    1536:6C5p7b0RGwWtTYGUFwMeAur6vcOAFpRJNF+75DUSvHgMpvP5D9xOPcJS7:6Ido8tEMF+ErFnJkUmAMVRccJS7

Malware Config

Extracted

Family

xtremerat

C2

x0n1rlz.no-ip.biz

Targets

    • Target

      3f21ad057dcaa0e86ca9df120e92c8d3_JaffaCakes118

    • Size

      113KB

    • MD5

      3f21ad057dcaa0e86ca9df120e92c8d3

    • SHA1

      5acb0c33c3b69edf81844c444afa8e85e16c8f5e

    • SHA256

      2f674372fa1b3bd2b3c7c8499dd01e1de45e0bbdef7d06912035c9b7b8450a41

    • SHA512

      11c79c421c610899c29489386d7ac6aa6a76e8b96d1e9bed11f9e98d4f5b31474f063ee61eaa491d2173abb6ae798016834a93bd6953dfbf4ded968a9988f44e

    • SSDEEP

      1536:6C5p7b0RGwWtTYGUFwMeAur6vcOAFpRJNF+75DUSvHgMpvP5D9xOPcJS7:6Ido8tEMF+ErFnJkUmAMVRccJS7

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks