General

  • Target

    4fe803090331cfcace587a8310a4bc26_JaffaCakes118

  • Size

    49KB

  • Sample

    240716-y47dwa1eqe

  • MD5

    4fe803090331cfcace587a8310a4bc26

  • SHA1

    dc3a5c03a8e7c3509bc28846cec8bf1c555ac73d

  • SHA256

    29585e49ee0559e73c692ddaa8db2fb6512c5f46a8b7fc1d57c388da2ff79390

  • SHA512

    92a9dc6e84dace2826da39b356dbb36db0c422cd52f4f7d9e38a254dca38330e647899013d3ed6ebb33624eb86f929ab5cf2b11aa276827a063919f20e9984b1

  • SSDEEP

    768:aEJ7xLMdyOxVhtJwUTN/XY9Mojj2p0KVho/AT9bWlRPcwghP9OlhCJc:aEYdBRG4Q9HjTGJ4lR8POi

Malware Config

Extracted

Family

xtremerat

C2

biladi2000.no-ip.info

Targets

    • Target

      4fe803090331cfcace587a8310a4bc26_JaffaCakes118

    • Size

      49KB

    • MD5

      4fe803090331cfcace587a8310a4bc26

    • SHA1

      dc3a5c03a8e7c3509bc28846cec8bf1c555ac73d

    • SHA256

      29585e49ee0559e73c692ddaa8db2fb6512c5f46a8b7fc1d57c388da2ff79390

    • SHA512

      92a9dc6e84dace2826da39b356dbb36db0c422cd52f4f7d9e38a254dca38330e647899013d3ed6ebb33624eb86f929ab5cf2b11aa276827a063919f20e9984b1

    • SSDEEP

      768:aEJ7xLMdyOxVhtJwUTN/XY9Mojj2p0KVho/AT9bWlRPcwghP9OlhCJc:aEYdBRG4Q9HjTGJ4lR8POi

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks