General

  • Target

    50d0446e6511b1b03ea603b7ee3d9c28_JaffaCakes118

  • Size

    288KB

  • Sample

    240717-bbpl2a1fqc

  • MD5

    50d0446e6511b1b03ea603b7ee3d9c28

  • SHA1

    0a4aafc54d6f0fd72e54426babe8c75b393ae3ff

  • SHA256

    a49d0e109a2f379dadffd496b4ecf6f957edaeaeff50c95c81c0c17f91ce18e8

  • SHA512

    2ec159f81ee5e44229c29caa75185306d59c5e3717f99b849eb8c61479912b40748b815bd36f1e4fd96ca8c7c7b7c88dbcc8d2ec9464e2b0f6ea398eb32ec0b1

  • SSDEEP

    6144:gP6RapdMxhNgaYSI4KHRvn2wbTiM5qz6usJGUrGrvUlh6vkwp0yN90PEClJE4yNc:ghMbenzKruy90XlBy90

Malware Config

Targets

    • Target

      50d0446e6511b1b03ea603b7ee3d9c28_JaffaCakes118

    • Size

      288KB

    • MD5

      50d0446e6511b1b03ea603b7ee3d9c28

    • SHA1

      0a4aafc54d6f0fd72e54426babe8c75b393ae3ff

    • SHA256

      a49d0e109a2f379dadffd496b4ecf6f957edaeaeff50c95c81c0c17f91ce18e8

    • SHA512

      2ec159f81ee5e44229c29caa75185306d59c5e3717f99b849eb8c61479912b40748b815bd36f1e4fd96ca8c7c7b7c88dbcc8d2ec9464e2b0f6ea398eb32ec0b1

    • SSDEEP

      6144:gP6RapdMxhNgaYSI4KHRvn2wbTiM5qz6usJGUrGrvUlh6vkwp0yN90PEClJE4yNc:ghMbenzKruy90XlBy90

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks