General

  • Target

    a4318d183e12cbcbf19368e39c99e327_JaffaCakes118

  • Size

    227KB

  • Sample

    240817-z96j7sxfqg

  • MD5

    a4318d183e12cbcbf19368e39c99e327

  • SHA1

    20f9e42276799555a0c9c1305601e6293f0713f5

  • SHA256

    84aa3d66b2a2820614e737c758d404bd624095a214928d3366f7fd27cfb2fd54

  • SHA512

    1c00c7e7075928e8a7e5e1086acbe8f134d0590ee9852a7eb9bf7a2ced238299b37335aca001710c968a9811f1fa9a9383b3143bc38b752f4a8201829b85590c

  • SSDEEP

    3072:RVsZHl3fcdjX5vE//3Ll3fcdjX5vE//34:R6lPcdD5kLlPcdD5k4

Malware Config

Extracted

Family

xtremerat

C2

demone2011.no-ip.org

Targets

    • Target

      a4318d183e12cbcbf19368e39c99e327_JaffaCakes118

    • Size

      227KB

    • MD5

      a4318d183e12cbcbf19368e39c99e327

    • SHA1

      20f9e42276799555a0c9c1305601e6293f0713f5

    • SHA256

      84aa3d66b2a2820614e737c758d404bd624095a214928d3366f7fd27cfb2fd54

    • SHA512

      1c00c7e7075928e8a7e5e1086acbe8f134d0590ee9852a7eb9bf7a2ced238299b37335aca001710c968a9811f1fa9a9383b3143bc38b752f4a8201829b85590c

    • SSDEEP

      3072:RVsZHl3fcdjX5vE//3Ll3fcdjX5vE//34:R6lPcdD5kLlPcdD5k4

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks