General

  • Target

    4f697b0aeb44cbb7f22b02d19b7122c5_JaffaCakes118

  • Size

    424KB

  • Sample

    240716-weabqswgje

  • MD5

    4f697b0aeb44cbb7f22b02d19b7122c5

  • SHA1

    9c205e05d5e52f0669479971a9a3a17b911bff0d

  • SHA256

    e8206004c0606c56dea9ab1acad5037d8d52bbc819546d1aafbf76decaa6da81

  • SHA512

    48edd11dfb88c7785d8522ab0a99348b6d9e6a7bff08f4f5c2607ad03ca818576bcc4df572b8544a305a039d35ce0ca0e6252bd8e50513cc4badd1364c54e8b9

  • SSDEEP

    12288:e4Dbo6r6K/lGRgOUqmq9kR6lhKXadJ6AsW:ez62K/cRgOnmq9g6tEW

Malware Config

Extracted

Family

xtremerat

C2

stop-top.no-ip.info

Targets

    • Target

      4f697b0aeb44cbb7f22b02d19b7122c5_JaffaCakes118

    • Size

      424KB

    • MD5

      4f697b0aeb44cbb7f22b02d19b7122c5

    • SHA1

      9c205e05d5e52f0669479971a9a3a17b911bff0d

    • SHA256

      e8206004c0606c56dea9ab1acad5037d8d52bbc819546d1aafbf76decaa6da81

    • SHA512

      48edd11dfb88c7785d8522ab0a99348b6d9e6a7bff08f4f5c2607ad03ca818576bcc4df572b8544a305a039d35ce0ca0e6252bd8e50513cc4badd1364c54e8b9

    • SSDEEP

      12288:e4Dbo6r6K/lGRgOUqmq9kR6lhKXadJ6AsW:ez62K/cRgOnmq9g6tEW

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks