General

  • Target

    3e7a110831308033d6d24ae4c58b5932_JaffaCakes118

  • Size

    108KB

  • Sample

    240712-xh7bbayakc

  • MD5

    3e7a110831308033d6d24ae4c58b5932

  • SHA1

    d768d64494e7d07a02c99d03fa3c9dec4ce8fa4b

  • SHA256

    189d6de846b6b866c72384f6dc3f813b482df5ff6145dda1e096f867bc7b8eda

  • SHA512

    74f77753edc22279fa657a40297202c9d24139612a7f3ab0d9b05e3f29c50a7db968a58aa070940b35aef6a8fbfce6c33af7a830dc19f3a08279fa5bd4e754d1

  • SSDEEP

    768:BsvAkSb0Uj/VT2EQg5yY28Zns5BnzI+47rmdN/xqgMg46oDUn/lahGNgFQ+v+IYw:OvA1pI8ZIBzIL74xqg86oe/lm7FuF

Malware Config

Extracted

Family

xtremerat

C2

ayada.dyndns.biz

Targets

    • Target

      3e7a110831308033d6d24ae4c58b5932_JaffaCakes118

    • Size

      108KB

    • MD5

      3e7a110831308033d6d24ae4c58b5932

    • SHA1

      d768d64494e7d07a02c99d03fa3c9dec4ce8fa4b

    • SHA256

      189d6de846b6b866c72384f6dc3f813b482df5ff6145dda1e096f867bc7b8eda

    • SHA512

      74f77753edc22279fa657a40297202c9d24139612a7f3ab0d9b05e3f29c50a7db968a58aa070940b35aef6a8fbfce6c33af7a830dc19f3a08279fa5bd4e754d1

    • SSDEEP

      768:BsvAkSb0Uj/VT2EQg5yY28Zns5BnzI+47rmdN/xqgMg46oDUn/lahGNgFQ+v+IYw:OvA1pI8ZIBzIL74xqg86oe/lm7FuF

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks