General

  • Target

    5964833fe2ded26bf9974d5517d64d3b_JaffaCakes118

  • Size

    344KB

  • Sample

    240718-2nvlxszhmp

  • MD5

    5964833fe2ded26bf9974d5517d64d3b

  • SHA1

    fe93e42bd7a09f8a55d8653bfade161715759e33

  • SHA256

    0e732290a6d44ec664639a98857356eac85ad571774704df4b798709a2d1a747

  • SHA512

    e89d8f25e2b83321ec553320017df069f1e809b400934dafcfc912689882266ffdbae1bff381c3fe6dad8890f1b556bf708bc87615b02625df3e192619f792b7

  • SSDEEP

    3072:Fb2z/QUxm4UlJ7Qig7pH0qOEG8nUi5izw9RXq2IRtj6mAB1nyu:FPc1y

Malware Config

Targets

    • Target

      5964833fe2ded26bf9974d5517d64d3b_JaffaCakes118

    • Size

      344KB

    • MD5

      5964833fe2ded26bf9974d5517d64d3b

    • SHA1

      fe93e42bd7a09f8a55d8653bfade161715759e33

    • SHA256

      0e732290a6d44ec664639a98857356eac85ad571774704df4b798709a2d1a747

    • SHA512

      e89d8f25e2b83321ec553320017df069f1e809b400934dafcfc912689882266ffdbae1bff381c3fe6dad8890f1b556bf708bc87615b02625df3e192619f792b7

    • SSDEEP

      3072:Fb2z/QUxm4UlJ7Qig7pH0qOEG8nUi5izw9RXq2IRtj6mAB1nyu:FPc1y

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks