General

  • Target

    4f3603726a8106808450aee9a39fc365_JaffaCakes118

  • Size

    94KB

  • Sample

    240716-vb6p4avbmf

  • MD5

    4f3603726a8106808450aee9a39fc365

  • SHA1

    80d72cbb817aea685aabe343cf98e8f079800a54

  • SHA256

    d691d73f66210f5722799dd74ca41be89f6245134b866f9eb515411bffd7ef9c

  • SHA512

    455795e8116049468895799e2dc6a80a3eca952afa56f29f3f4dae9469a79fc05278c561e17103b245e66104db6a160933d6801ecc17f11d06d957c0919d949e

  • SSDEEP

    1536:yyRUHlrL1lr6an3TLuvm2buQ7RDfibqLqkSZZZ3nRDfibqLqkSZZZ3Mo3ArA8:yyRUZ7vAjRDqb0UnRDqb0UMo+

Malware Config

Extracted

Family

xtremerat

C2

esam3at.no-ip.biz

Targets

    • Target

      4f3603726a8106808450aee9a39fc365_JaffaCakes118

    • Size

      94KB

    • MD5

      4f3603726a8106808450aee9a39fc365

    • SHA1

      80d72cbb817aea685aabe343cf98e8f079800a54

    • SHA256

      d691d73f66210f5722799dd74ca41be89f6245134b866f9eb515411bffd7ef9c

    • SHA512

      455795e8116049468895799e2dc6a80a3eca952afa56f29f3f4dae9469a79fc05278c561e17103b245e66104db6a160933d6801ecc17f11d06d957c0919d949e

    • SSDEEP

      1536:yyRUHlrL1lr6an3TLuvm2buQ7RDfibqLqkSZZZ3nRDfibqLqkSZZZ3Mo3ArA8:yyRUZ7vAjRDqb0UnRDqb0UMo+

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks