General

  • Target

    3cf42fd9caf07439a99289cb4c41aebb_JaffaCakes118

  • Size

    520KB

  • Sample

    240712-l8cc3syfpq

  • MD5

    3cf42fd9caf07439a99289cb4c41aebb

  • SHA1

    8807f08c90a122e28f92e201036dfd0e58a32911

  • SHA256

    cebfe27ed9d97b2dc79dac60c5422b33e2dbe8c25a2945e0a8c0893b512e32b9

  • SHA512

    c45cecc4fddf9e846a304b806c2a37b4960c52721c999bb0a3c44c09dccd4ee7b3254b234e826b8eacd77fc5dec420657c83eda065bb43725c8774462c3d68de

  • SSDEEP

    12288:ZHkxkmDqkRkhBTbcwXaNeQBdmHfI3C+V1B9:ZEarB3KNeQBdafIS

Malware Config

Extracted

Family

xtremerat

C2

boube1900.no-ip.info

Targets

    • Target

      3cf42fd9caf07439a99289cb4c41aebb_JaffaCakes118

    • Size

      520KB

    • MD5

      3cf42fd9caf07439a99289cb4c41aebb

    • SHA1

      8807f08c90a122e28f92e201036dfd0e58a32911

    • SHA256

      cebfe27ed9d97b2dc79dac60c5422b33e2dbe8c25a2945e0a8c0893b512e32b9

    • SHA512

      c45cecc4fddf9e846a304b806c2a37b4960c52721c999bb0a3c44c09dccd4ee7b3254b234e826b8eacd77fc5dec420657c83eda065bb43725c8774462c3d68de

    • SSDEEP

      12288:ZHkxkmDqkRkhBTbcwXaNeQBdmHfI3C+V1B9:ZEarB3KNeQBdafIS

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks