General

  • Target

    a62169e9d2e240c83f52ecd474863241_JaffaCakes118

  • Size

    40KB

  • Sample

    240818-kqxevsydkn

  • MD5

    a62169e9d2e240c83f52ecd474863241

  • SHA1

    e776d4ed6a0e7023902ccc3a52f4503f990c6998

  • SHA256

    5f0401e9c1b74b359057175256f45044330ec813c895ca05472d9210a99aab7d

  • SHA512

    1f9e919dfd11525e67813d37ca37c95f087fb74b31184cdac7bc2602c8181a41dd2f65c4fd55251628ab7566f5a33c74ecc9f619a207672eae8a148196914034

  • SSDEEP

    768:kE9hghdN12Ozhiow2Gkm6+c3/pBzNBwIldRzot:ku+zMOlw2GkmS3/Bld5ot

Malware Config

Targets

    • Target

      a62169e9d2e240c83f52ecd474863241_JaffaCakes118

    • Size

      40KB

    • MD5

      a62169e9d2e240c83f52ecd474863241

    • SHA1

      e776d4ed6a0e7023902ccc3a52f4503f990c6998

    • SHA256

      5f0401e9c1b74b359057175256f45044330ec813c895ca05472d9210a99aab7d

    • SHA512

      1f9e919dfd11525e67813d37ca37c95f087fb74b31184cdac7bc2602c8181a41dd2f65c4fd55251628ab7566f5a33c74ecc9f619a207672eae8a148196914034

    • SSDEEP

      768:kE9hghdN12Ozhiow2Gkm6+c3/pBzNBwIldRzot:ku+zMOlw2GkmS3/Bld5ot

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks