General

  • Target

    51df7dd409b18c676d7b506595e09ba7_JaffaCakes118

  • Size

    1008KB

  • Sample

    240717-hgrrxasejg

  • MD5

    51df7dd409b18c676d7b506595e09ba7

  • SHA1

    25a8867ff167eea38ed43552ca6bdbf48d1aec7d

  • SHA256

    c93642f0dd5a66809fb5d714e597dfc7971cb236067bc30372e3779b16107fcf

  • SHA512

    0cff38b29e224249491bec8892140666d7e2fd7a38bf40db07d309a44d22dd67b0c2167a5be995fd79200fec53816d14606d2442ec4e3c122b689b7b3539bbd8

  • SSDEEP

    24576:SOiCv9aUwEeIMrw8cWX4Q48RCPG9MlAC9J:SOiCv9aUwysyWCPGylX

Malware Config

Extracted

Family

xtremerat

C2

dfuso.zapto.org

Targets

    • Target

      51df7dd409b18c676d7b506595e09ba7_JaffaCakes118

    • Size

      1008KB

    • MD5

      51df7dd409b18c676d7b506595e09ba7

    • SHA1

      25a8867ff167eea38ed43552ca6bdbf48d1aec7d

    • SHA256

      c93642f0dd5a66809fb5d714e597dfc7971cb236067bc30372e3779b16107fcf

    • SHA512

      0cff38b29e224249491bec8892140666d7e2fd7a38bf40db07d309a44d22dd67b0c2167a5be995fd79200fec53816d14606d2442ec4e3c122b689b7b3539bbd8

    • SSDEEP

      24576:SOiCv9aUwEeIMrw8cWX4Q48RCPG9MlAC9J:SOiCv9aUwysyWCPGylX

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks