General

  • Target

    629e58914a866edb68ad241fd10c69f7_JaffaCakes118

  • Size

    368KB

  • Sample

    240722-k1d19szclq

  • MD5

    629e58914a866edb68ad241fd10c69f7

  • SHA1

    a7f9cfe02bc8355ed55d999959b34e59ae4cf43d

  • SHA256

    819c8b38ef130ad216803a4cabcfda5b8995f64a1979e13727de7bb14ef918bd

  • SHA512

    bfef59b2dc3946be0185df6a42c0a30cb00d14e492fca321d1cfc6148e36dcb4c004e4d7c8955a365a5751959900873d9c688e518dcb59ffd61dd57649a6fc2b

  • SSDEEP

    6144:xLr3TRNzOcYCjWD2woTC96ntVVV2v9Wm41X:x/TL1jW6wqe6ntmIX

Malware Config

Targets

    • Target

      629e58914a866edb68ad241fd10c69f7_JaffaCakes118

    • Size

      368KB

    • MD5

      629e58914a866edb68ad241fd10c69f7

    • SHA1

      a7f9cfe02bc8355ed55d999959b34e59ae4cf43d

    • SHA256

      819c8b38ef130ad216803a4cabcfda5b8995f64a1979e13727de7bb14ef918bd

    • SHA512

      bfef59b2dc3946be0185df6a42c0a30cb00d14e492fca321d1cfc6148e36dcb4c004e4d7c8955a365a5751959900873d9c688e518dcb59ffd61dd57649a6fc2b

    • SSDEEP

      6144:xLr3TRNzOcYCjWD2woTC96ntVVV2v9Wm41X:x/TL1jW6wqe6ntmIX

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks