General

  • Target

    6284dcc9d95344904ca5cf947036449b_JaffaCakes118

  • Size

    588KB

  • Sample

    240722-ke9wtaxfqh

  • MD5

    6284dcc9d95344904ca5cf947036449b

  • SHA1

    5a0edb3e0f9a369d2c156257383f4170862f6396

  • SHA256

    e6e6cde21fafc3aa7fa0fc78ba36f7bdaf72cb2cb97ddde75e838d0bdf8e1a51

  • SHA512

    37d463bc3485ff65d459f1ea4ec2b730f0bf53392cdee3f634373d75696231aa3f6ca2976b5160b94083a2d78e8c574733aa742fc06bf19f30a65319212f7a28

  • SSDEEP

    1536:sCcvUp3OHauQrKeKtoM9TvrA91sXyKZt:XcvsOHajrZdM81sXyGt

Malware Config

Extracted

Family

xtremerat

C2

wer99.no-ip.org

Targets

    • Target

      6284dcc9d95344904ca5cf947036449b_JaffaCakes118

    • Size

      588KB

    • MD5

      6284dcc9d95344904ca5cf947036449b

    • SHA1

      5a0edb3e0f9a369d2c156257383f4170862f6396

    • SHA256

      e6e6cde21fafc3aa7fa0fc78ba36f7bdaf72cb2cb97ddde75e838d0bdf8e1a51

    • SHA512

      37d463bc3485ff65d459f1ea4ec2b730f0bf53392cdee3f634373d75696231aa3f6ca2976b5160b94083a2d78e8c574733aa742fc06bf19f30a65319212f7a28

    • SSDEEP

      1536:sCcvUp3OHauQrKeKtoM9TvrA91sXyKZt:XcvsOHajrZdM81sXyGt

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks