General

  • Target

    58e0e58cf4ff1842c536ca7aa56f873c_JaffaCakes118

  • Size

    86KB

  • Sample

    240718-ywxjpsxdlc

  • MD5

    58e0e58cf4ff1842c536ca7aa56f873c

  • SHA1

    e0ae9239a7c2e6949d1b4c2405a6a271991e9b1b

  • SHA256

    b3a4824b9ee4b01bb18518066ce2962b3a82e5a4290fb52632193efa3a2dc396

  • SHA512

    8a5f6a8767186d3d8a88194ef40053da652a97315dabaa353e9dbf758615c80af8d60bf92a45e1eefb3a308031401abf8514cd74aaba1c3ba72dee4f281d8672

  • SSDEEP

    1536:/vXHLUAJthHWO+/E/lpajtVvGxXTXfvubqBfX9Ahg8FeN+YtsO+n9IpYReNVtiP9:H48bV/lpytNGxrfvR/9Ahg8Q5tsvnufY

Malware Config

Extracted

Family

xtremerat

C2

6939147.no-ip.biz

Targets

    • Target

      58e0e58cf4ff1842c536ca7aa56f873c_JaffaCakes118

    • Size

      86KB

    • MD5

      58e0e58cf4ff1842c536ca7aa56f873c

    • SHA1

      e0ae9239a7c2e6949d1b4c2405a6a271991e9b1b

    • SHA256

      b3a4824b9ee4b01bb18518066ce2962b3a82e5a4290fb52632193efa3a2dc396

    • SHA512

      8a5f6a8767186d3d8a88194ef40053da652a97315dabaa353e9dbf758615c80af8d60bf92a45e1eefb3a308031401abf8514cd74aaba1c3ba72dee4f281d8672

    • SSDEEP

      1536:/vXHLUAJthHWO+/E/lpajtVvGxXTXfvubqBfX9Ahg8FeN+YtsO+n9IpYReNVtiP9:H48bV/lpytNGxrfvR/9Ahg8Q5tsvnufY

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks