Overview

overview

10

Static

static

3

60a8633078...18.exe

windows7-x64

10

60a8633078...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118

  • Size

    184KB

  • Sample

    241020-gg47kasckc

  • MD5

    60a86330789a0643714d2c4ef9c7be5c

  • SHA1

    6cf5eb75e9bb75c2f42bcb301f42f444c5fd595f

  • SHA256

    423bbaf907eb2af786f3765585e8b09f9a8a6931191361ec1e25a7e8ed173fb4

  • SHA512

    e9d36ad02b0fb7adfa42d78aedb1d899ddeaf0a27fd688b00572e0acc158ead5e71f91fe954c7aa25ded65dc77640ff5b7af28b2e607284dd7ba50f4389c4ee3

  • SSDEEP

    1536:34VcdfuvL1VITgv3NOnouy8Vk+3or43OMvkvacjBy02WMm:3oAfKyg1OoutVk+Ys+MvkNjBqWMm

Score
10/10
xtremeratdiscoveryevasionpersistenceratspywareupx

Malware Config

Extracted

Family

xtremerat

C2

schalfer.no-ip.org

￿33schalfer.no-ip.org

￿翿翿翿翿schalfer.no-ip.org

Targets

    • Target

      60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118

    • Size

      184KB

    • MD5

      60a86330789a0643714d2c4ef9c7be5c

    • SHA1

      6cf5eb75e9bb75c2f42bcb301f42f444c5fd595f

    • SHA256

      423bbaf907eb2af786f3765585e8b09f9a8a6931191361ec1e25a7e8ed173fb4

    • SHA512

      e9d36ad02b0fb7adfa42d78aedb1d899ddeaf0a27fd688b00572e0acc158ead5e71f91fe954c7aa25ded65dc77640ff5b7af28b2e607284dd7ba50f4389c4ee3

    • SSDEEP

      1536:34VcdfuvL1VITgv3NOnouy8Vk+3or43OMvkvacjBy02WMm:3oAfKyg1OoutVk+Ys+MvkNjBqWMm

    Score
    10/10
    xtremeratdiscoveryevasionpersistenceratspywareupx

    • Detect XtremeRAT payload

    • Modifies WinLogon for persistence

      persistence

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

      persistencespywareratxtremerat

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks