General

  • Target

    5280da4fcc8e0305f9461400c04b1bbb_JaffaCakes118

  • Size

    104KB

  • Sample

    240717-l1pcnswbkq

  • MD5

    5280da4fcc8e0305f9461400c04b1bbb

  • SHA1

    b2b3948bad15c4b1869fb7836e51272e0c532de7

  • SHA256

    13d9d37ad3b31a089fa904046634cf23322d993f59a1153f93cd24f6dea0d4ba

  • SHA512

    254d63a3b0fc7bd995edac0909898a1d21f69547382b4458c00d13a2f0c5c4d56f84d899959282ab91fd51dfc288cdf400b308e28e401b5afd81807af090971c

  • SSDEEP

    1536:unh3FTDtpp9AWdYZXQdrsDEGekQYU9A5:uzfY5QdrUEGv3U9A5

Malware Config

Targets

    • Target

      5280da4fcc8e0305f9461400c04b1bbb_JaffaCakes118

    • Size

      104KB

    • MD5

      5280da4fcc8e0305f9461400c04b1bbb

    • SHA1

      b2b3948bad15c4b1869fb7836e51272e0c532de7

    • SHA256

      13d9d37ad3b31a089fa904046634cf23322d993f59a1153f93cd24f6dea0d4ba

    • SHA512

      254d63a3b0fc7bd995edac0909898a1d21f69547382b4458c00d13a2f0c5c4d56f84d899959282ab91fd51dfc288cdf400b308e28e401b5afd81807af090971c

    • SSDEEP

      1536:unh3FTDtpp9AWdYZXQdrsDEGekQYU9A5:uzfY5QdrUEGv3U9A5

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks