General

  • Target

    a51ed15ca6be35fc6ebafe88f6ea0261_JaffaCakes118

  • Size

    54KB

  • Sample

    240818-df3ess1gne

  • MD5

    a51ed15ca6be35fc6ebafe88f6ea0261

  • SHA1

    aebf80bfe447fe585f9dc15dcebd991cc67e1552

  • SHA256

    f352b7fd1230f49ed8c15325317432c23c0fa117c28fb5dc37c87ce6368ea2ee

  • SHA512

    94f83872ea7ec0d1f825b7dddd135696a5bc28de62f815a458708f14a3538b4beab2db97aacd2e624d4ea4498aee5420ee5051b19260895f650c95d32bb8787c

  • SSDEEP

    768:YB6yZyR1Oy4BtXX5vrnTY2DjT+zIXX+qQjtyv+KspGefEl8oHNpHLv6jQUi8WeXv:YQO3BtnrDjxatyvZs4bnNhv68D8WeXv

Malware Config

Extracted

Family

xtremerat

C2

djamel.hopto.org

Targets

    • Target

      a51ed15ca6be35fc6ebafe88f6ea0261_JaffaCakes118

    • Size

      54KB

    • MD5

      a51ed15ca6be35fc6ebafe88f6ea0261

    • SHA1

      aebf80bfe447fe585f9dc15dcebd991cc67e1552

    • SHA256

      f352b7fd1230f49ed8c15325317432c23c0fa117c28fb5dc37c87ce6368ea2ee

    • SHA512

      94f83872ea7ec0d1f825b7dddd135696a5bc28de62f815a458708f14a3538b4beab2db97aacd2e624d4ea4498aee5420ee5051b19260895f650c95d32bb8787c

    • SSDEEP

      768:YB6yZyR1Oy4BtXX5vrnTY2DjT+zIXX+qQjtyv+KspGefEl8oHNpHLv6jQUi8WeXv:YQO3BtnrDjxatyvZs4bnNhv68D8WeXv

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Deletes itself

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks