General

  • Target

    51cf6ac79ff7e98d3c2ce3e1976009d2_JaffaCakes118

  • Size

    47KB

  • Sample

    240717-g6b73sygjj

  • MD5

    51cf6ac79ff7e98d3c2ce3e1976009d2

  • SHA1

    15a82d4b425f4e3ad5a0144b2ca9d5dedbe41e2c

  • SHA256

    f4bcbce0b4c464bf03aeac7b3a98cd2687cf22159acfa322a905e84a8ba67330

  • SHA512

    a06eb699e85aedc4a58e3d720b6e0a15e7791f4a652cc753a55e934132f1a6647be2893c3a5c6fb7053bf264e50fc5992422951b34daf3e225050e1b5efcfbce

  • SSDEEP

    768:rBr+tjFqTPkAlfztB1lr6an3smTA8uvm2DfOTwYPI0zoA2:FyRUHlrL1lr6an3TLuvm2buQUoA2

Malware Config

Extracted

Family

xtremerat

C2

রd3mnt.no-ip.info

Targets

    • Target

      51cf6ac79ff7e98d3c2ce3e1976009d2_JaffaCakes118

    • Size

      47KB

    • MD5

      51cf6ac79ff7e98d3c2ce3e1976009d2

    • SHA1

      15a82d4b425f4e3ad5a0144b2ca9d5dedbe41e2c

    • SHA256

      f4bcbce0b4c464bf03aeac7b3a98cd2687cf22159acfa322a905e84a8ba67330

    • SHA512

      a06eb699e85aedc4a58e3d720b6e0a15e7791f4a652cc753a55e934132f1a6647be2893c3a5c6fb7053bf264e50fc5992422951b34daf3e225050e1b5efcfbce

    • SSDEEP

      768:rBr+tjFqTPkAlfztB1lr6an3smTA8uvm2DfOTwYPI0zoA2:FyRUHlrL1lr6an3TLuvm2buQUoA2

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks