General

  • Target

    c84f1f50f835b553b0505e7c1a17d053_JaffaCakes118

  • Size

    1.3MB

  • Sample

    241205-smygrawldr

  • MD5

    c84f1f50f835b553b0505e7c1a17d053

  • SHA1

    8c1fb33748c6b56eae1b925aab3b278419bab13e

  • SHA256

    bb77ccca5f9c6b8b65c80ffbf3f50623bbab0655e487a2c14e7b19c726eaf3e1

  • SHA512

    c8eeeaf4e1f8262585732b088af33a731b028960e29d1864e48601bcf952745cc77e57d16692f7156cdba66acebc39272cbdcdbf2df675fcf43b2ec8612c367e

  • SSDEEP

    24576:pRmJkcoQricOIQxiZY1WNjHPoccAe2HFPXEsx12KQUHYBR:mJZoQrbTFZY1WNzXpbWUH8

Malware Config

Extracted

Family

xtremerat

C2

alano2013.no-ip.org

IP: 1gameszero.dyndns.org

Ągameszero.dyndns.org

Targets

    • Target

      c84f1f50f835b553b0505e7c1a17d053_JaffaCakes118

    • Size

      1.3MB

    • MD5

      c84f1f50f835b553b0505e7c1a17d053

    • SHA1

      8c1fb33748c6b56eae1b925aab3b278419bab13e

    • SHA256

      bb77ccca5f9c6b8b65c80ffbf3f50623bbab0655e487a2c14e7b19c726eaf3e1

    • SHA512

      c8eeeaf4e1f8262585732b088af33a731b028960e29d1864e48601bcf952745cc77e57d16692f7156cdba66acebc39272cbdcdbf2df675fcf43b2ec8612c367e

    • SSDEEP

      24576:pRmJkcoQricOIQxiZY1WNjHPoccAe2HFPXEsx12KQUHYBR:mJZoQrbTFZY1WNzXpbWUH8

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Xtremerat family

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops file in Drivers directory

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks