General

  • Target

    5266bb90458c6f3f51705b8121859638_JaffaCakes118

  • Size

    124KB

  • Sample

    240717-lg7d5sxfrf

  • MD5

    5266bb90458c6f3f51705b8121859638

  • SHA1

    5d261359952fe3bdbd6b49c19ea4ea72579dd8e7

  • SHA256

    548a99768186fb9306022951ee39bfb8311ec2d281455ec326c931fa5351f714

  • SHA512

    2a098673bb742c1dcbaa39294972672b3cef652a15a2a227fdf6de1fd338ed8690e10087c35469adaa875a673bca17a07fb54d9294db5ab2584a20b84f9b5a37

  • SSDEEP

    3072:WgYNSJRZ6bSpOLRDS6UZ+3NkYrCp5slSd:W5SrZ6mpOlDfC+3CYrCph

Malware Config

Extracted

Family

xtremerat

C2

mal3k.no-ip.org

Targets

    • Target

      5266bb90458c6f3f51705b8121859638_JaffaCakes118

    • Size

      124KB

    • MD5

      5266bb90458c6f3f51705b8121859638

    • SHA1

      5d261359952fe3bdbd6b49c19ea4ea72579dd8e7

    • SHA256

      548a99768186fb9306022951ee39bfb8311ec2d281455ec326c931fa5351f714

    • SHA512

      2a098673bb742c1dcbaa39294972672b3cef652a15a2a227fdf6de1fd338ed8690e10087c35469adaa875a673bca17a07fb54d9294db5ab2584a20b84f9b5a37

    • SSDEEP

      3072:WgYNSJRZ6bSpOLRDS6UZ+3NkYrCp5slSd:W5SrZ6mpOlDfC+3CYrCph

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks