General

  • Target

    a69c3618aaf363b55138f9a49c0e6e95_JaffaCakes118

  • Size

    204KB

  • Sample

    240818-nmtrca1hnf

  • MD5

    a69c3618aaf363b55138f9a49c0e6e95

  • SHA1

    2d8d112036dd88936136c230f5d01d5c5d28583c

  • SHA256

    ea6d1c2f2c8ea487bdafb2f6500c8f287b9911a57c352b43959ab4ee5de31c0e

  • SHA512

    c89bb8287af2bfead9739b9b71f0e00fdb2cfe234b0741f16cd69094b50c1788b4895b09855fdc6f0b0ffd41a1d08622b2c2f76a48cf397f70bb35e101fe8a1c

  • SSDEEP

    1536:3DYqvv31W+yguAiQ/cBJWumC7ZRtSjGN46XdJBm/V+nyBSuB456HbIanHya08g:/NlfiQUShCHJUdyvuBjMaHy1R

Malware Config

Extracted

Family

xtremerat

C2

tnx2x.no-ip.biz

Targets

    • Target

      a69c3618aaf363b55138f9a49c0e6e95_JaffaCakes118

    • Size

      204KB

    • MD5

      a69c3618aaf363b55138f9a49c0e6e95

    • SHA1

      2d8d112036dd88936136c230f5d01d5c5d28583c

    • SHA256

      ea6d1c2f2c8ea487bdafb2f6500c8f287b9911a57c352b43959ab4ee5de31c0e

    • SHA512

      c89bb8287af2bfead9739b9b71f0e00fdb2cfe234b0741f16cd69094b50c1788b4895b09855fdc6f0b0ffd41a1d08622b2c2f76a48cf397f70bb35e101fe8a1c

    • SSDEEP

      1536:3DYqvv31W+yguAiQ/cBJWumC7ZRtSjGN46XdJBm/V+nyBSuB456HbIanHya08g:/NlfiQUShCHJUdyvuBjMaHy1R

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks