General

  • Target

    612bab126a2b67000f65d56691d516bd_JaffaCakes118

  • Size

    84KB

  • Sample

    240721-yk4hwatgnj

  • MD5

    612bab126a2b67000f65d56691d516bd

  • SHA1

    7165f6354d53b3e72c090609f9100657d1d6abc4

  • SHA256

    af18377bb71be9de8c783a20641cf866165ee760a2003b8eb47a15e9df04086e

  • SHA512

    44b3232233e07447a23cd9e34005e0d571e20ec561dd723b88a43108d53a77aa74fff1f508b3e41848cd4c80ac4cbf979c8e39d47e5c10c0d23e575142e846b4

  • SSDEEP

    1536:ZP1y+QEd7Y83T/y+EsTCT9F0ZFqTnGtHtlBv9VAUfqESUj667CEbu6Q8:ZNKEd7R3MsmT9WZFqTnMNlBjAuXSfj6R

Malware Config

Targets

    • Target

      612bab126a2b67000f65d56691d516bd_JaffaCakes118

    • Size

      84KB

    • MD5

      612bab126a2b67000f65d56691d516bd

    • SHA1

      7165f6354d53b3e72c090609f9100657d1d6abc4

    • SHA256

      af18377bb71be9de8c783a20641cf866165ee760a2003b8eb47a15e9df04086e

    • SHA512

      44b3232233e07447a23cd9e34005e0d571e20ec561dd723b88a43108d53a77aa74fff1f508b3e41848cd4c80ac4cbf979c8e39d47e5c10c0d23e575142e846b4

    • SSDEEP

      1536:ZP1y+QEd7Y83T/y+EsTCT9F0ZFqTnGtHtlBv9VAUfqESUj667CEbu6Q8:ZNKEd7R3MsmT9WZFqTnMNlBjAuXSfj6R

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks