General

  • Target

    cfe093395215bab9491fa7e8b74485f4_JaffaCakes118

  • Size

    142KB

  • Sample

    241207-a746xssqel

  • MD5

    cfe093395215bab9491fa7e8b74485f4

  • SHA1

    b1f3305d94f0b486503ff97645808369442a3bf4

  • SHA256

    9c8e9d37fe4ec0f5a6595cf88bd97d78a0b8b96693342c355868859156e06107

  • SHA512

    6bda66ff11ae4e49de36ddd397011ab3737055026f263726ae0f270e8ab209727d05acad67a7c9504a2cd804fb7382466dbc0f1d5e52d9074958cbafa5d8f4f5

  • SSDEEP

    3072:fPaZ0JKSs3hPSMNpwzyfzg2W1Rc8waKK5:ndsXKyM2k+8TN

Malware Config

Extracted

Family

xtremerat

C2

vvnv12.no-ip.biz

Targets

    • Target

      cfe093395215bab9491fa7e8b74485f4_JaffaCakes118

    • Size

      142KB

    • MD5

      cfe093395215bab9491fa7e8b74485f4

    • SHA1

      b1f3305d94f0b486503ff97645808369442a3bf4

    • SHA256

      9c8e9d37fe4ec0f5a6595cf88bd97d78a0b8b96693342c355868859156e06107

    • SHA512

      6bda66ff11ae4e49de36ddd397011ab3737055026f263726ae0f270e8ab209727d05acad67a7c9504a2cd804fb7382466dbc0f1d5e52d9074958cbafa5d8f4f5

    • SSDEEP

      3072:fPaZ0JKSs3hPSMNpwzyfzg2W1Rc8waKK5:ndsXKyM2k+8TN

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Xtremerat family

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks