General

  • Target

    64c1988c983d043a875591cb3fb42028_JaffaCakes118

  • Size

    21KB

  • Sample

    241021-abqnnazbqr

  • MD5

    64c1988c983d043a875591cb3fb42028

  • SHA1

    d80fa9df4089b36ee7e124d5876e8c50f1ee8785

  • SHA256

    986255900be2eb56376108711208fd1806fd2f6ccc82078402788fa4d32f0757

  • SHA512

    219a4844dce632994c479324c47c59318b35d03a86be975c079b7216e8f5de64c82687f2991bb54347d8f7e4f44d4d432654a2e17c8393f536af3dfbcb18ad54

  • SSDEEP

    384:rHIdmF+Ti213fEF9QZd/cBr5M/gOjkaS4s/1k5YiZNl0tpQtXbidfhO8dpLR:TIsF81fG9QveLOYTe5YicpQZi9hO8h

Malware Config

Extracted

Family

xtremerat

C2

safo19.no-ip.biz

Targets

    • Target

      64c1988c983d043a875591cb3fb42028_JaffaCakes118

    • Size

      21KB

    • MD5

      64c1988c983d043a875591cb3fb42028

    • SHA1

      d80fa9df4089b36ee7e124d5876e8c50f1ee8785

    • SHA256

      986255900be2eb56376108711208fd1806fd2f6ccc82078402788fa4d32f0757

    • SHA512

      219a4844dce632994c479324c47c59318b35d03a86be975c079b7216e8f5de64c82687f2991bb54347d8f7e4f44d4d432654a2e17c8393f536af3dfbcb18ad54

    • SSDEEP

      384:rHIdmF+Ti213fEF9QZd/cBr5M/gOjkaS4s/1k5YiZNl0tpQtXbidfhO8dpLR:TIsF81fG9QveLOYTe5YicpQZi9hO8h

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks