General

  • Target

    4efd834d2514f0f58b7040266d2dc128_JaffaCakes118

  • Size

    236KB

  • Sample

    240716-s7dyvazbpl

  • MD5

    4efd834d2514f0f58b7040266d2dc128

  • SHA1

    e7dcaabdcb2a16c675a29ca9dd68350b9169947a

  • SHA256

    5acb858814052cd5bb85916bbe76330c8225c9df807d362e82d0ab51cb75c462

  • SHA512

    5a7671e9d45422173fd902082caeadd1bf610bfa474c97c2b31b1363be79838cd94f45271abb17e5464d7825bc01e682fe89ee2e4e281595229e53d9310e0617

  • SSDEEP

    1536:xuCgbVjVm20c/7AsFmQrK3KkpDMfrO91dFwvK:xFgw20c/7AsxrUlf1dWv

Malware Config

Targets

    • Target

      4efd834d2514f0f58b7040266d2dc128_JaffaCakes118

    • Size

      236KB

    • MD5

      4efd834d2514f0f58b7040266d2dc128

    • SHA1

      e7dcaabdcb2a16c675a29ca9dd68350b9169947a

    • SHA256

      5acb858814052cd5bb85916bbe76330c8225c9df807d362e82d0ab51cb75c462

    • SHA512

      5a7671e9d45422173fd902082caeadd1bf610bfa474c97c2b31b1363be79838cd94f45271abb17e5464d7825bc01e682fe89ee2e4e281595229e53d9310e0617

    • SSDEEP

      1536:xuCgbVjVm20c/7AsFmQrK3KkpDMfrO91dFwvK:xFgw20c/7AsxrUlf1dWv

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks