General

  • Target

    503ba7f679d042c020e14e4025c16161_JaffaCakes118

  • Size

    615KB

  • Sample

    240716-1x9xjasckj

  • MD5

    503ba7f679d042c020e14e4025c16161

  • SHA1

    cdccb5c58265f46babe2e5626effc2b799a8d692

  • SHA256

    6aa7a48dfd92511dc70cdbd6539f6b56946f185d9e1451fc7e8f4787880e3451

  • SHA512

    115757b43c9f318d00432bac060205166bc4a3e062e33505589922a26992658bf236087b4d216cbc783a07fe596f40b88d542c887c76a1a5296a25c6ebd717a4

  • SSDEEP

    12288:9u/eEyDXGtIgdjkhjA0zL5tbYe5WyuovxnjlSOjolM:94TAgUjA0ztie6ovxnBz

Malware Config

Extracted

Family

xtremerat

C2

cescmouad.zapto.org

Targets

    • Target

      503ba7f679d042c020e14e4025c16161_JaffaCakes118

    • Size

      615KB

    • MD5

      503ba7f679d042c020e14e4025c16161

    • SHA1

      cdccb5c58265f46babe2e5626effc2b799a8d692

    • SHA256

      6aa7a48dfd92511dc70cdbd6539f6b56946f185d9e1451fc7e8f4787880e3451

    • SHA512

      115757b43c9f318d00432bac060205166bc4a3e062e33505589922a26992658bf236087b4d216cbc783a07fe596f40b88d542c887c76a1a5296a25c6ebd717a4

    • SSDEEP

      12288:9u/eEyDXGtIgdjkhjA0zL5tbYe5WyuovxnjlSOjolM:94TAgUjA0ztie6ovxnBz

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks