General
-
Target
580432b487a577e230e77560da74d217_JaffaCakes118
-
Size
6.3MB
-
Sample
240719-eavnfa1dpn
-
MD5
580432b487a577e230e77560da74d217
-
SHA1
330fe5d209a1058f0950711098fb827a55156aca
-
SHA256
8ddc17f683f0dfa09484fb7574c8fecf3363801f7ad47bc55a8160044bfb17d5
-
SHA512
9e5d48c5b311362d727601af4bd4b78b301039ea0bcde23a23c99254b84ee9ca467f0a63ae60d86f4cae1b517053355fdd66bf823cc2467b2e8766ced2e7be41
-
SSDEEP
49152:jFS6Jc08I7r/QA+SHnnOhU4k+x5v5ENZ8uWLd9HiEOcT3xClj91G+TbkzCAhHDWr:uq
Malware Config
Extracted
xtremerat
zocks.zapto.org
Targets
-
-
Target
580432b487a577e230e77560da74d217_JaffaCakes118
-
Size
6.3MB
-
MD5
580432b487a577e230e77560da74d217
-
SHA1
330fe5d209a1058f0950711098fb827a55156aca
-
SHA256
8ddc17f683f0dfa09484fb7574c8fecf3363801f7ad47bc55a8160044bfb17d5
-
SHA512
9e5d48c5b311362d727601af4bd4b78b301039ea0bcde23a23c99254b84ee9ca467f0a63ae60d86f4cae1b517053355fdd66bf823cc2467b2e8766ced2e7be41
-
SSDEEP
49152:jFS6Jc08I7r/QA+SHnnOhU4k+x5v5ENZ8uWLd9HiEOcT3xClj91G+TbkzCAhHDWr:uq
-
Detect Neshta payload
-
Detect XtremeRAT payload
-
Modifies WinLogon for persistence
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops file in Drivers directory
-
Sets service image path in registry
-
Executes dropped EXE
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
5Active Setup
1Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
5Active Setup
1Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1