General

  • Target

    a52d440cd4bbe5c189bf3af4951e372f_JaffaCakes118

  • Size

    683KB

  • Sample

    240818-dr82qasdlf

  • MD5

    a52d440cd4bbe5c189bf3af4951e372f

  • SHA1

    efa5088a441ac9a7f2366cc93b4c2e2227f33c68

  • SHA256

    f254cd439f817d7bf5cc1477a2723e89e6645b91a038b25a6b71be4641f067d6

  • SHA512

    f547bb3635fb4f669060f1c7ca726b3f50188f62230f5d76cfa155b7180f4d033f25ab70e22045abbd921052a57abb44039d3281d2cf0d984a21b4abfafafa90

  • SSDEEP

    12288:6aWzgMg7v3qnCiMErQohh0F4CCJ8lny/QO8bZ/Mx5Z:1aHMv6Corjqny/QlbZ/E

Malware Config

Targets

    • Target

      a52d440cd4bbe5c189bf3af4951e372f_JaffaCakes118

    • Size

      683KB

    • MD5

      a52d440cd4bbe5c189bf3af4951e372f

    • SHA1

      efa5088a441ac9a7f2366cc93b4c2e2227f33c68

    • SHA256

      f254cd439f817d7bf5cc1477a2723e89e6645b91a038b25a6b71be4641f067d6

    • SHA512

      f547bb3635fb4f669060f1c7ca726b3f50188f62230f5d76cfa155b7180f4d033f25ab70e22045abbd921052a57abb44039d3281d2cf0d984a21b4abfafafa90

    • SSDEEP

      12288:6aWzgMg7v3qnCiMErQohh0F4CCJ8lny/QO8bZ/Mx5Z:1aHMv6Corjqny/QlbZ/E

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks