General

  • Target

    5f8ff987d0529e0c68b14fe18890228d_JaffaCakes118

  • Size

    293KB

  • Sample

    240720-h9qqbawbnf

  • MD5

    5f8ff987d0529e0c68b14fe18890228d

  • SHA1

    2a27c5d75937968f269e00a95c224812ff167ffd

  • SHA256

    32002f45e592e647c57df9d56ffcc6d6aa5709a6f5a330519b97cc7d5d82776c

  • SHA512

    da81487ad874ddbe907c4e1cbfaa12fc5cded606ac044d01505c08e7e7a44f3e217f4305cf44185e60ad5963c01739873c45841bec0706ab8e639ad8cab853a0

  • SSDEEP

    3072:9pCu9NrTll4O/y6vO1OWFWACZ+UKPj9udcr2SKJlD+wsnYwSj/iMjub7or:PTPAXSdcryJZjsYw2iTb70

Malware Config

Targets

    • Target

      5f8ff987d0529e0c68b14fe18890228d_JaffaCakes118

    • Size

      293KB

    • MD5

      5f8ff987d0529e0c68b14fe18890228d

    • SHA1

      2a27c5d75937968f269e00a95c224812ff167ffd

    • SHA256

      32002f45e592e647c57df9d56ffcc6d6aa5709a6f5a330519b97cc7d5d82776c

    • SHA512

      da81487ad874ddbe907c4e1cbfaa12fc5cded606ac044d01505c08e7e7a44f3e217f4305cf44185e60ad5963c01739873c45841bec0706ab8e639ad8cab853a0

    • SSDEEP

      3072:9pCu9NrTll4O/y6vO1OWFWACZ+UKPj9udcr2SKJlD+wsnYwSj/iMjub7or:PTPAXSdcryJZjsYw2iTb70

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks