General

  • Target

    50a5c739ce813ffd001ccf029bca129c_JaffaCakes118

  • Size

    900KB

  • Sample

    240717-ad953swhpl

  • MD5

    50a5c739ce813ffd001ccf029bca129c

  • SHA1

    cca16d7c0fd79585bedcfedba73a7b8a8c22a4b4

  • SHA256

    b02a3881dd99b89e865f43f50fb1436de3c60e6218fc50e91464c8ada5efd47f

  • SHA512

    bc437826336d9f0966d4f20c5642d8c5cf185998b41b5c3d420484fe16d22e330a093fc022cf4b1889ac03ca19e05a40cc6299ebbe08d2848e119b3a6bd80085

  • SSDEEP

    24576:ZyE5gA3UdwrZDifLB0HDXd0+OlHIsFc82Hjvv:Xk6DifL2HxtOdI0i

Malware Config

Extracted

Family

xtremerat

C2

mahmoodgz.no-ip.biz

Targets

    • Target

      50a5c739ce813ffd001ccf029bca129c_JaffaCakes118

    • Size

      900KB

    • MD5

      50a5c739ce813ffd001ccf029bca129c

    • SHA1

      cca16d7c0fd79585bedcfedba73a7b8a8c22a4b4

    • SHA256

      b02a3881dd99b89e865f43f50fb1436de3c60e6218fc50e91464c8ada5efd47f

    • SHA512

      bc437826336d9f0966d4f20c5642d8c5cf185998b41b5c3d420484fe16d22e330a093fc022cf4b1889ac03ca19e05a40cc6299ebbe08d2848e119b3a6bd80085

    • SSDEEP

      24576:ZyE5gA3UdwrZDifLB0HDXd0+OlHIsFc82Hjvv:Xk6DifL2HxtOdI0i

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks