General

  • Target

    54009613e47d93126d37dd7cb4a64534_JaffaCakes118

  • Size

    769KB

  • Sample

    241017-16feaazcqc

  • MD5

    54009613e47d93126d37dd7cb4a64534

  • SHA1

    fa0a507ddcd4dc8a17d85e74448702a2589f5582

  • SHA256

    84079c86c2b28541dfd30a6593cd1c516cf3ceb6617e1b72c4df32e6e8b0889f

  • SHA512

    522d4464727ea425f1e023cc26363124df6c84945472712dc348c9885e2f23bbbb880790e762b5f5249474798583d96bef1f65e9e0a4f756efb3eee73ac9572e

  • SSDEEP

    24576:EoLwQGN2K3yWds0JkKyVDjVM8Qhpa0VUi6O:EoLljadsLhues

Malware Config

Extracted

Family

xtremerat

C2

cuore.no-ip.org

Targets

    • Target

      54009613e47d93126d37dd7cb4a64534_JaffaCakes118

    • Size

      769KB

    • MD5

      54009613e47d93126d37dd7cb4a64534

    • SHA1

      fa0a507ddcd4dc8a17d85e74448702a2589f5582

    • SHA256

      84079c86c2b28541dfd30a6593cd1c516cf3ceb6617e1b72c4df32e6e8b0889f

    • SHA512

      522d4464727ea425f1e023cc26363124df6c84945472712dc348c9885e2f23bbbb880790e762b5f5249474798583d96bef1f65e9e0a4f756efb3eee73ac9572e

    • SSDEEP

      24576:EoLwQGN2K3yWds0JkKyVDjVM8Qhpa0VUi6O:EoLljadsLhues

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks