General

  • Target

    5a9ce2a8c2354f081dc91d59b9e07681_JaffaCakes118

  • Size

    132KB

  • Sample

    240719-fzzjcsvajj

  • MD5

    5a9ce2a8c2354f081dc91d59b9e07681

  • SHA1

    900ca8e22f4f5e9786b698dc1bfc7216403fd697

  • SHA256

    37e60d9d46f34797ada59d45fb51b3030790ec4934f17893544e465b5185ba11

  • SHA512

    d4abbbf5c10fc2414b0bc0f5de9b59c3f0efa0c90ffb22e7bedc37781600fd7e80ba9e3e30adce7bae417403ffcf5cfc00b326eece9a6a727b0c24692d69ec8e

  • SSDEEP

    3072:jQqf2UjjM3BqWjGU/P6yio/03KutlSSKMm:jrf2U/wCyiihvT

Malware Config

Extracted

Family

xtremerat

C2

wer99.no-ip.org

Targets

    • Target

      5a9ce2a8c2354f081dc91d59b9e07681_JaffaCakes118

    • Size

      132KB

    • MD5

      5a9ce2a8c2354f081dc91d59b9e07681

    • SHA1

      900ca8e22f4f5e9786b698dc1bfc7216403fd697

    • SHA256

      37e60d9d46f34797ada59d45fb51b3030790ec4934f17893544e465b5185ba11

    • SHA512

      d4abbbf5c10fc2414b0bc0f5de9b59c3f0efa0c90ffb22e7bedc37781600fd7e80ba9e3e30adce7bae417403ffcf5cfc00b326eece9a6a727b0c24692d69ec8e

    • SSDEEP

      3072:jQqf2UjjM3BqWjGU/P6yio/03KutlSSKMm:jrf2U/wCyiihvT

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks