General
-
Target
8ba8f8047917a06adc3f6d807eaf7626_JaffaCakes118
-
Size
1.1MB
-
Sample
241103-qhh56avhmj
-
MD5
8ba8f8047917a06adc3f6d807eaf7626
-
SHA1
937df687973edec3f51550cc5cab9367ab7d1d68
-
SHA256
a17a56a6133deb30a7b5347798b8cac8438e90695cae989a41971fe1583682ba
-
SHA512
b2434f2bd3acbc9b971ed43037706ccbdec3fd7122ad59ec4df7cb8f2e31d25cc10705eaceaedba8a0fe2efd6704518c844f5aa1e383fdf0e1d9f41c7213899a
-
SSDEEP
24576:PhtO1/DsEOLcnKpIfn/jjm0YfoGyFdg6phEACvTHdg6pj:Jtq/DsEiWf/jafotPpCvJPp
Malware Config
Extracted
xtremerat
cutosky.dyndns.org
Targets
-
-
Target
Chams Sudden + Mado,s Injectors/Mado,s Injectors.exe
-
Size
199KB
-
MD5
6f04b35e2ab8ef9b793aa3b6b21bd3f3
-
SHA1
456d2013c9c9558153a073bff5666225cb2957e2
-
SHA256
1829c3afcad6a480a1dccf4b33b4728cc731a2d2ad1a59b23566dd3497c80564
-
SHA512
b03d28859a743a2ba45c26091b480c0d7784e41aa44d23751bcfccc0c2afeda6e520d485e692708ce3016a542a79c97f8b08994dbcbd1f7d8da195f45b1930a6
-
SSDEEP
6144:QjbeiZ/rVBPKs27FbbMlIRf20vrtSQPUgXc:Qu8/QgIh/kQPUYc
Score10/10-
Detect XtremeRAT payload
-
Modifies WinLogon for persistence
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
Chams Sudden + Mado,s Injectors/UPDATE Chams Sudden Latino.dll
-
Size
64KB
-
MD5
c1f43582036e27067d974179b0ad4221
-
SHA1
00f36a8be369aa8fb9b8efc14e4146bd42f62bfc
-
SHA256
7f8da421f0eaadeda79ca46c417e2d446bdbc4b103f06d82a9e6ca33c76de82d
-
SHA512
83c898f706dbfaf963260ea5f29bb987b221e02daf97c3492a13c91da01481fa6b829cf231e35fefb4ef56d94f63abe1dda1ea053963c47f301fd412c11bc9ce
-
SSDEEP
1536:eszZ4c0NWs9EqD4AZJpjC3ERj2ZpeH2+yrW:NF0vl4AZu3NTeH2+yr
Score3/10 -
-
-
Target
Perx Wall hack S.ALatino/Perx Updated.exe
-
Size
233KB
-
MD5
8c4adab323fa75d5aede1abf3e366226
-
SHA1
10ffb2983f15ab01d7594a63391de3f734d62982
-
SHA256
efbf5fbeb95dbc2bcb9c49ddb506d83d61c1faea4ebadb323fd3bf8348f02368
-
SHA512
6cb4cad588c24d627ddf214c3b8650043706cde3fcbdd4da1ac97f189613e35902bb1fe9d6f46bfaaef7526d378144c6c3273181db2e025652728ba76cc26463
-
SSDEEP
3072:+LpV3eLW1Ogn1KOX+9BsL2RhFGpgpV3eLW1Ogn1K:+LpV3uWk9F9FFGgpV3uWk9
Score3/10 -
-
-
Target
Perx Wall hack S.ALatino/UPDATE Chams Sudden Latino.dll
-
Size
64KB
-
MD5
c1f43582036e27067d974179b0ad4221
-
SHA1
00f36a8be369aa8fb9b8efc14e4146bd42f62bfc
-
SHA256
7f8da421f0eaadeda79ca46c417e2d446bdbc4b103f06d82a9e6ca33c76de82d
-
SHA512
83c898f706dbfaf963260ea5f29bb987b221e02daf97c3492a13c91da01481fa6b829cf231e35fefb4ef56d94f63abe1dda1ea053963c47f301fd412c11bc9ce
-
SSDEEP
1536:eszZ4c0NWs9EqD4AZJpjC3ERj2ZpeH2+yrW:NF0vl4AZu3NTeH2+yr
Score3/10 -
-
-
Target
Siyanur lag hack- S.A latino/siyanur - Lag Hack.exe
-
Size
777KB
-
MD5
91c8a2597dfaa6acd74e3e36aad13795
-
SHA1
6eecfee76e50c1386d5e2ace2d854b36e772f39e
-
SHA256
6579041d87f55e77a82942f943ecee122555a40f0bc93be4614cf024b87f1cf1
-
SHA512
bba3004e251eeeed049a656746fe3e915e46953f46078cefd18bb79a7dd04f81155f4396e3bb07ae99523ac4fa99386255e378eeee997550bc875004c7a1c7ab
-
SSDEEP
24576:5naVMJ3TWq+OxymwoglBMazrEdr6kS3rJQBtUkBgJ:5amJjyOwmwoMFqrSinXBgJ
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1