General

  • Target

    5a8ffde10aa99fe1da4a56fada54d917_JaffaCakes118

  • Size

    47KB

  • Sample

    240719-fnbcdsxcje

  • MD5

    5a8ffde10aa99fe1da4a56fada54d917

  • SHA1

    915cb298fd128875abc1b02f606bd554403ff79e

  • SHA256

    f09f5737cc736ac13fe222e21d802729b1c9d212ab3b19f5bde6bea736799f95

  • SHA512

    c6bb1c1ea4a59089177ffd525ae46ab61a5ea9deca2e1083d906ec7eb6c3047130002b1048156afed01b18ff8cd35ae3c905afa9d77aa0ede053362d643e8f47

  • SSDEEP

    768:KhKi6vj0BATfZR3LYGJLydk8RgLHuANgJENrcxg+YDUyiJaHn5MAJwi/rgak9Dn7:KorkoRsG8dk8RqgJENrcC+YDUrg5bJw3

Malware Config

Extracted

Family

xtremerat

C2

fabhack.no-ip.org

Targets

    • Target

      5a8ffde10aa99fe1da4a56fada54d917_JaffaCakes118

    • Size

      47KB

    • MD5

      5a8ffde10aa99fe1da4a56fada54d917

    • SHA1

      915cb298fd128875abc1b02f606bd554403ff79e

    • SHA256

      f09f5737cc736ac13fe222e21d802729b1c9d212ab3b19f5bde6bea736799f95

    • SHA512

      c6bb1c1ea4a59089177ffd525ae46ab61a5ea9deca2e1083d906ec7eb6c3047130002b1048156afed01b18ff8cd35ae3c905afa9d77aa0ede053362d643e8f47

    • SSDEEP

      768:KhKi6vj0BATfZR3LYGJLydk8RgLHuANgJENrcxg+YDUyiJaHn5MAJwi/rgak9Dn7:KorkoRsG8dk8RqgJENrcC+YDUrg5bJw3

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks