General

  • Target

    40e6e9ecc4f712d2f625d4b2120d286e_JaffaCakes118

  • Size

    348KB

  • Sample

    240713-j8bqfatcmm

  • MD5

    40e6e9ecc4f712d2f625d4b2120d286e

  • SHA1

    c2e25563fd71e25418f657d24cc49f46f6ea4061

  • SHA256

    5f356d778847c66a524d70c27a22ad86a93f8b78dba51edcc4af7da0129a55a6

  • SHA512

    6e3d644361f83a47f9abeeb963ede36984c3a634ffc3f783ba2daa866198ba3dca0de9bf564ff1e038436d94528ef34e8636e6ee59df93f5efd550a8ff429900

  • SSDEEP

    6144:qKRh1JKs9WlqIBn06LcGf5Cwth36oOcB8E8BLwGy6pFPinXjW5Cc4/TievpcatOL:vRh1JKuWlqIBngGf5Ft16oB8NBLwGy6N

Malware Config

Extracted

Family

xtremerat

C2

偌schalfer.no-ip.org

Targets

    • Target

      40e6e9ecc4f712d2f625d4b2120d286e_JaffaCakes118

    • Size

      348KB

    • MD5

      40e6e9ecc4f712d2f625d4b2120d286e

    • SHA1

      c2e25563fd71e25418f657d24cc49f46f6ea4061

    • SHA256

      5f356d778847c66a524d70c27a22ad86a93f8b78dba51edcc4af7da0129a55a6

    • SHA512

      6e3d644361f83a47f9abeeb963ede36984c3a634ffc3f783ba2daa866198ba3dca0de9bf564ff1e038436d94528ef34e8636e6ee59df93f5efd550a8ff429900

    • SSDEEP

      6144:qKRh1JKs9WlqIBn06LcGf5Cwth36oOcB8E8BLwGy6pFPinXjW5Cc4/TievpcatOL:vRh1JKuWlqIBngGf5Ft16oB8NBLwGy6N

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks