General

  • Target

    61d9cf6a21f396dade366e52db64d783_JaffaCakes118

  • Size

    676KB

  • Sample

    240721-3eed1ssenr

  • MD5

    61d9cf6a21f396dade366e52db64d783

  • SHA1

    7083231e68fc487926d53fe4273c63b429bdd8ee

  • SHA256

    2dbda3b5dbdcc257ab708d772a85a44a7359f81499eb28a09ca727a8be6cf1b7

  • SHA512

    9cabb7ab036da1de093b8d0e3f2f4d70d9070f1387f45dbdec413726fc5da587ead7c74a3b112ed581b1b9ae4f89504c03ab0cecd76e667febcb3fd7f629d122

  • SSDEEP

    12288:5Y2xVO8qkMmXCT9oied1+YKrBQbWvt4UWhlmvLi:WLi

Malware Config

Extracted

Family

xtremerat

C2

rabah1627.zapto.org

Targets

    • Target

      61d9cf6a21f396dade366e52db64d783_JaffaCakes118

    • Size

      676KB

    • MD5

      61d9cf6a21f396dade366e52db64d783

    • SHA1

      7083231e68fc487926d53fe4273c63b429bdd8ee

    • SHA256

      2dbda3b5dbdcc257ab708d772a85a44a7359f81499eb28a09ca727a8be6cf1b7

    • SHA512

      9cabb7ab036da1de093b8d0e3f2f4d70d9070f1387f45dbdec413726fc5da587ead7c74a3b112ed581b1b9ae4f89504c03ab0cecd76e667febcb3fd7f629d122

    • SSDEEP

      12288:5Y2xVO8qkMmXCT9oied1+YKrBQbWvt4UWhlmvLi:WLi

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks