General

  • Target

    521a789f6892d554c051004faad5f3d1_JaffaCakes118

  • Size

    794KB

  • Sample

    240717-jvx2hs1hqr

  • MD5

    521a789f6892d554c051004faad5f3d1

  • SHA1

    51ef63218968f62714493f80dce5726186103d61

  • SHA256

    7c8e070f5d231dceada7b2baee3797c3c835ad813ddf52f8e7ed9cfc50efbe6f

  • SHA512

    e560bc1a3a2504fe763981dba9967bf82a83fb73d8b42d5830804f3538ac9b2f73b44146d8ced4ce0e01b4fe9f24b32d2bb4e5b073dc8949523be1afcefe253c

  • SSDEEP

    12288:ceupTL/Ff0KY5nXqd0ADnudisybYz0ING2slASLQw3x9w6PiWtNWtTUXDx9R2QHV:Lm98znXq51dgDSLQgx9dm5UXXHsSHDZ

Malware Config

Extracted

Family

xtremerat

C2

momo44.no-ip.biz

Targets

    • Target

      521a789f6892d554c051004faad5f3d1_JaffaCakes118

    • Size

      794KB

    • MD5

      521a789f6892d554c051004faad5f3d1

    • SHA1

      51ef63218968f62714493f80dce5726186103d61

    • SHA256

      7c8e070f5d231dceada7b2baee3797c3c835ad813ddf52f8e7ed9cfc50efbe6f

    • SHA512

      e560bc1a3a2504fe763981dba9967bf82a83fb73d8b42d5830804f3538ac9b2f73b44146d8ced4ce0e01b4fe9f24b32d2bb4e5b073dc8949523be1afcefe253c

    • SSDEEP

      12288:ceupTL/Ff0KY5nXqd0ADnudisybYz0ING2slASLQw3x9w6PiWtNWtTUXDx9R2QHV:Lm98znXq51dgDSLQgx9dm5UXXHsSHDZ

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks