General

  • Target

    51167457038df0db2dcb153784660d1b_JaffaCakes118

  • Size

    108KB

  • Sample

    240717-ctw99svbpd

  • MD5

    51167457038df0db2dcb153784660d1b

  • SHA1

    282cd26eabaffa1e4a1658f3083b3b69d64ced61

  • SHA256

    639a35a5c1a44085911492e73a3b727b79ff0300e121c8b6f23340d957180a5a

  • SHA512

    5f81de9f5199c9c2e6d7b119adf2cbe1df45dc476a90b569cd4c35a60429ed54bae5f4e31c015e3aa10f7b329e2d63a51d9e3ed499d1bef038261f6de5db3d94

  • SSDEEP

    3072:rvmMSJjp4qcBXM9Bzj8tHuG4Kby38lMfQ:rvmtjp4fiLzjcl+dQ

Malware Config

Extracted

Family

xtremerat

C2

mal3k.no-ip.org

Targets

    • Target

      51167457038df0db2dcb153784660d1b_JaffaCakes118

    • Size

      108KB

    • MD5

      51167457038df0db2dcb153784660d1b

    • SHA1

      282cd26eabaffa1e4a1658f3083b3b69d64ced61

    • SHA256

      639a35a5c1a44085911492e73a3b727b79ff0300e121c8b6f23340d957180a5a

    • SHA512

      5f81de9f5199c9c2e6d7b119adf2cbe1df45dc476a90b569cd4c35a60429ed54bae5f4e31c015e3aa10f7b329e2d63a51d9e3ed499d1bef038261f6de5db3d94

    • SSDEEP

      3072:rvmMSJjp4qcBXM9Bzj8tHuG4Kby38lMfQ:rvmtjp4fiLzjcl+dQ

    • Detect XtremeRAT payload

    • UAC bypass

    • Windows security bypass

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks