General

  • Target

    40030304ef63db29a774700e7b82273f_JaffaCakes118

  • Size

    224KB

  • Sample

    240713-d1d8pstemj

  • MD5

    40030304ef63db29a774700e7b82273f

  • SHA1

    a2f07e9a2c4f0c1654fcb507e987bba10172af4a

  • SHA256

    396ac5f9a7940fddfe6c13b3f260ffd7b955ad93bbff9e457606c8f5afe49136

  • SHA512

    5f3408436aeed482551771f79a3342c92523ef59397d211010badad920ae400b3f9e51a54d82492378e6f2c724c3092923735a38a94404274063f61386369543

  • SSDEEP

    6144:PdnhnCuKCme7IvVv60nFETpFsMmKAae0du:PdhCnveEvVi+ETpFpmKAae0du

Malware Config

Targets

    • Target

      40030304ef63db29a774700e7b82273f_JaffaCakes118

    • Size

      224KB

    • MD5

      40030304ef63db29a774700e7b82273f

    • SHA1

      a2f07e9a2c4f0c1654fcb507e987bba10172af4a

    • SHA256

      396ac5f9a7940fddfe6c13b3f260ffd7b955ad93bbff9e457606c8f5afe49136

    • SHA512

      5f3408436aeed482551771f79a3342c92523ef59397d211010badad920ae400b3f9e51a54d82492378e6f2c724c3092923735a38a94404274063f61386369543

    • SSDEEP

      6144:PdnhnCuKCme7IvVv60nFETpFsMmKAae0du:PdhCnveEvVi+ETpFpmKAae0du

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks