General

  • Target

    5f415d869208a127a6ec459acc329dfc_JaffaCakes118

  • Size

    58KB

  • Sample

    240720-gg2rfayerp

  • MD5

    5f415d869208a127a6ec459acc329dfc

  • SHA1

    f006fdf0c5331515bd44d3e24ff2fb8054825903

  • SHA256

    11a28898392235fe2a4b568080550b0320fa9042bd06010f65013d99201ef708

  • SHA512

    2f4820b15387e73f59ae130b18a81a44208b89811644fb62bd0c494a2c63cd3bf1ae6c8f6fec5b16889ed2a499da9e422b71ba2042c215e05975e0f485d2a9e8

  • SSDEEP

    1536:2BBmuMww9kp88LvjPnZTjTTswz9+8bEUhcgoMn+p2:cHMww9ydTfzQGE70+p

Malware Config

Extracted

Family

xtremerat

C2

mal3k.no-ip.org

Targets

    • Target

      5f415d869208a127a6ec459acc329dfc_JaffaCakes118

    • Size

      58KB

    • MD5

      5f415d869208a127a6ec459acc329dfc

    • SHA1

      f006fdf0c5331515bd44d3e24ff2fb8054825903

    • SHA256

      11a28898392235fe2a4b568080550b0320fa9042bd06010f65013d99201ef708

    • SHA512

      2f4820b15387e73f59ae130b18a81a44208b89811644fb62bd0c494a2c63cd3bf1ae6c8f6fec5b16889ed2a499da9e422b71ba2042c215e05975e0f485d2a9e8

    • SSDEEP

      1536:2BBmuMww9kp88LvjPnZTjTTswz9+8bEUhcgoMn+p2:cHMww9ydTfzQGE70+p

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks