Resubmissions

19-07-2024 03:44

240719-eavnfa1dpn 10

18-07-2024 15:38

240718-s3epksyblc 10

General

  • Target

    580432b487a577e230e77560da74d217_JaffaCakes118

  • Size

    6.3MB

  • Sample

    240719-eavnfa1dpn

  • MD5

    580432b487a577e230e77560da74d217

  • SHA1

    330fe5d209a1058f0950711098fb827a55156aca

  • SHA256

    8ddc17f683f0dfa09484fb7574c8fecf3363801f7ad47bc55a8160044bfb17d5

  • SHA512

    9e5d48c5b311362d727601af4bd4b78b301039ea0bcde23a23c99254b84ee9ca467f0a63ae60d86f4cae1b517053355fdd66bf823cc2467b2e8766ced2e7be41

  • SSDEEP

    49152:jFS6Jc08I7r/QA+SHnnOhU4k+x5v5ENZ8uWLd9HiEOcT3xClj91G+TbkzCAhHDWr:uq

Malware Config

Extracted

Family

xtremerat

C2

zocks.zapto.org

Targets

    • Target

      580432b487a577e230e77560da74d217_JaffaCakes118

    • Size

      6.3MB

    • MD5

      580432b487a577e230e77560da74d217

    • SHA1

      330fe5d209a1058f0950711098fb827a55156aca

    • SHA256

      8ddc17f683f0dfa09484fb7574c8fecf3363801f7ad47bc55a8160044bfb17d5

    • SHA512

      9e5d48c5b311362d727601af4bd4b78b301039ea0bcde23a23c99254b84ee9ca467f0a63ae60d86f4cae1b517053355fdd66bf823cc2467b2e8766ced2e7be41

    • SSDEEP

      49152:jFS6Jc08I7r/QA+SHnnOhU4k+x5v5ENZ8uWLd9HiEOcT3xClj91G+TbkzCAhHDWr:uq

    • Detect Neshta payload

    • Detect XtremeRAT payload

    • Modifies WinLogon for persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Executes dropped EXE

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks