General

  • Target

    600bcafe6368257513bdfbb0dc8ca86d_JaffaCakes118

  • Size

    162KB

  • Sample

    240720-l5flbs1cka

  • MD5

    600bcafe6368257513bdfbb0dc8ca86d

  • SHA1

    c25a44731110c05d2d0836653bf8665267951d8c

  • SHA256

    fb8730b23b3a9fbc11cab57b3371893fe191807b9f7b3deab70987d4940b0c66

  • SHA512

    dfa5d44941d1f5690e9032b1bb151bf8755ad24bd1cc8523bc3dd9e8fd712f5f45915aaaa2b7d7bd02aa822222eb0a3a5b4afff5baf798680d4a589874c39587

  • SSDEEP

    3072:rsvu7KXKJn26Vkc0yz8gXSOX7L/xDgR0Jj4Pzrc77OWw8x8cf:IvAqKJn26WPyzz//xDgR0Ic769/c

Malware Config

Extracted

Family

xtremerat

C2

lover810.zapto.org

Targets

    • Target

      600bcafe6368257513bdfbb0dc8ca86d_JaffaCakes118

    • Size

      162KB

    • MD5

      600bcafe6368257513bdfbb0dc8ca86d

    • SHA1

      c25a44731110c05d2d0836653bf8665267951d8c

    • SHA256

      fb8730b23b3a9fbc11cab57b3371893fe191807b9f7b3deab70987d4940b0c66

    • SHA512

      dfa5d44941d1f5690e9032b1bb151bf8755ad24bd1cc8523bc3dd9e8fd712f5f45915aaaa2b7d7bd02aa822222eb0a3a5b4afff5baf798680d4a589874c39587

    • SSDEEP

      3072:rsvu7KXKJn26Vkc0yz8gXSOX7L/xDgR0Jj4Pzrc77OWw8x8cf:IvAqKJn26WPyzz//xDgR0Ic769/c

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks