General

  • Target

    4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118

  • Size

    119KB

  • Sample

    240716-xrg3sawakm

  • MD5

    4fa376e5ca671bccd9f2c239bd42fd19

  • SHA1

    b0be4c96572df9d47b1072c61c80a61e92536556

  • SHA256

    f8112b237e9b8c68dd997ce7dcd089c059af4eed5ed58b49e1e40d686c8dde57

  • SHA512

    423ff62455e38eefd56c2adb778c695ed041fd95ed6e9840d6c3d649d059f8683a1e9a7fe18df21d397bb52f9cb265af93d5bd5538fe2239f5218d5ca35bf53c

  • SSDEEP

    3072:0rbfEa2wJFu+cd819tU7D5I6uwn94cJc:0nD2QFu+dTSDSO94cJc

Malware Config

Extracted

Family

xtremerat

C2

ofcorp.no-ip.org

Targets

    • Target

      4fa376e5ca671bccd9f2c239bd42fd19_JaffaCakes118

    • Size

      119KB

    • MD5

      4fa376e5ca671bccd9f2c239bd42fd19

    • SHA1

      b0be4c96572df9d47b1072c61c80a61e92536556

    • SHA256

      f8112b237e9b8c68dd997ce7dcd089c059af4eed5ed58b49e1e40d686c8dde57

    • SHA512

      423ff62455e38eefd56c2adb778c695ed041fd95ed6e9840d6c3d649d059f8683a1e9a7fe18df21d397bb52f9cb265af93d5bd5538fe2239f5218d5ca35bf53c

    • SSDEEP

      3072:0rbfEa2wJFu+cd819tU7D5I6uwn94cJc:0nD2QFu+dTSDSO94cJc

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks