General

  • Target

    5fe939b56f4ee50a4e2212a24a153a65_JaffaCakes118

  • Size

    201KB

  • Sample

    240720-lcnfgazblh

  • MD5

    5fe939b56f4ee50a4e2212a24a153a65

  • SHA1

    c780193685cbd16dc44545aa6a0ed6be4df41382

  • SHA256

    c3f9339ffa97cecb7bea9077bf11ffb9b248d2c84844b23012eee77fb3d5147b

  • SHA512

    01de2672255afbe52eda3f6a26fd90e6848316dd9f9dc0a7e2b7e2fa4f4d9a4ba84a615e5337b2123d718d8a17a681f06c309c15268d75ac57b4ceb7a5f842c2

  • SSDEEP

    6144:EjQCNj0nVW5GJZ2tNYLj8Mfs+ZAsawPo:EjQCNoVzYKj86s+ZAs

Malware Config

Extracted

Family

xtremerat

C2

sareey.no-ip.biz

Targets

    • Target

      5fe939b56f4ee50a4e2212a24a153a65_JaffaCakes118

    • Size

      201KB

    • MD5

      5fe939b56f4ee50a4e2212a24a153a65

    • SHA1

      c780193685cbd16dc44545aa6a0ed6be4df41382

    • SHA256

      c3f9339ffa97cecb7bea9077bf11ffb9b248d2c84844b23012eee77fb3d5147b

    • SHA512

      01de2672255afbe52eda3f6a26fd90e6848316dd9f9dc0a7e2b7e2fa4f4d9a4ba84a615e5337b2123d718d8a17a681f06c309c15268d75ac57b4ceb7a5f842c2

    • SSDEEP

      6144:EjQCNj0nVW5GJZ2tNYLj8Mfs+ZAsawPo:EjQCNoVzYKj86s+ZAs

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Adds Run key to start application

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks