General

  • Target

    a631126865d72e0043308cc884d771ec_JaffaCakes118

  • Size

    243KB

  • Sample

    240818-k4xb1swfnc

  • MD5

    a631126865d72e0043308cc884d771ec

  • SHA1

    d33a9bde06fb5a5c2d78a1879cbd9cef39f652a5

  • SHA256

    c3209cd12c0fa82a4184ed62118446f50213df386b2b925708eae4514f16f736

  • SHA512

    153d0d210c205dfd6b1f25d02d4c9c10ada0f837030b91604a06ac3428dc93f6c9784d355ee3bd24a1090d60f4a1b561dc3953e30fc96edacae5b0be8c2daedf

  • SSDEEP

    3072:XFd2Afoka0uMMGYmKlMCJ+UrxkCkK9a7+Z3wCYdj8vK1HDvhk1eSkDyfCnewUmGS:1jQwuYKs7M3jvEu1nkaCneT3NmEQd

Malware Config

Extracted

Family

xtremerat

C2

umtakcicek.dyndns.org

ࠁ谀umtakcicek.dyndns.org

Targets

    • Target

      a631126865d72e0043308cc884d771ec_JaffaCakes118

    • Size

      243KB

    • MD5

      a631126865d72e0043308cc884d771ec

    • SHA1

      d33a9bde06fb5a5c2d78a1879cbd9cef39f652a5

    • SHA256

      c3209cd12c0fa82a4184ed62118446f50213df386b2b925708eae4514f16f736

    • SHA512

      153d0d210c205dfd6b1f25d02d4c9c10ada0f837030b91604a06ac3428dc93f6c9784d355ee3bd24a1090d60f4a1b561dc3953e30fc96edacae5b0be8c2daedf

    • SSDEEP

      3072:XFd2Afoka0uMMGYmKlMCJ+UrxkCkK9a7+Z3wCYdj8vK1HDvhk1eSkDyfCnewUmGS:1jQwuYKs7M3jvEu1nkaCneT3NmEQd

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks