General

  • Target

    619f9d731ca2f8fb6fa1222c25b29b33_JaffaCakes118

  • Size

    257KB

  • Sample

    240721-181g8sxepf

  • MD5

    619f9d731ca2f8fb6fa1222c25b29b33

  • SHA1

    8bd7e0bf2a509a646ed8d8b52280369733436b78

  • SHA256

    cdd357c09d51b39754f75e63591f7cd0a7d0156c67e873bf5a4a980056a4e0b9

  • SHA512

    a2f5a0b13da794b113e056952cd9a9ce0059ebeed369eca8b5d6d3b076c5b55a5f8e4b7374cc69bcd67b046e2bb5a1c7733b9a4b977cd2fc01371509dacd726f

  • SSDEEP

    6144:/SncRlvm8141en6mfFN2WfEjI75nuWDQbj:64g8141w6mNN7fn5nPm

Malware Config

Extracted

Family

xtremerat

C2

da3sat.no-ip.biz

Targets

    • Target

      619f9d731ca2f8fb6fa1222c25b29b33_JaffaCakes118

    • Size

      257KB

    • MD5

      619f9d731ca2f8fb6fa1222c25b29b33

    • SHA1

      8bd7e0bf2a509a646ed8d8b52280369733436b78

    • SHA256

      cdd357c09d51b39754f75e63591f7cd0a7d0156c67e873bf5a4a980056a4e0b9

    • SHA512

      a2f5a0b13da794b113e056952cd9a9ce0059ebeed369eca8b5d6d3b076c5b55a5f8e4b7374cc69bcd67b046e2bb5a1c7733b9a4b977cd2fc01371509dacd726f

    • SSDEEP

      6144:/SncRlvm8141en6mfFN2WfEjI75nuWDQbj:64g8141w6mNN7fn5nPm

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks