General
-
Target
d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118
-
Size
173KB
-
Sample
241207-hkqn1s1lew
-
MD5
d1233b402c1f2eb42d9114cabc620af3
-
SHA1
981ed9468d9ebca4ba046194822f87be88819bac
-
SHA256
62b98bcdf890bff37ce85ce18d8b4ac046c6a248979ef068c3298e75a48dc5ad
-
SHA512
be1586ddf658184832198e66fb2453dd3b18faa2ace6e0b82887a5bf384c632aaf7c85f53c436b1661bb86c3fa93f42226ed6512bf62a5d6d6e9277418173d25
-
SSDEEP
3072:ogO8Ng8VvnvhcZcqfVwuS1glK8CjB0jmUJXRnLuJuq77i28W:ogng8VCZ59/rKtjTUPuJPJT
Malware Config
Targets
-
-
Target
d1233b402c1f2eb42d9114cabc620af3_JaffaCakes118
-
Size
173KB
-
MD5
d1233b402c1f2eb42d9114cabc620af3
-
SHA1
981ed9468d9ebca4ba046194822f87be88819bac
-
SHA256
62b98bcdf890bff37ce85ce18d8b4ac046c6a248979ef068c3298e75a48dc5ad
-
SHA512
be1586ddf658184832198e66fb2453dd3b18faa2ace6e0b82887a5bf384c632aaf7c85f53c436b1661bb86c3fa93f42226ed6512bf62a5d6d6e9277418173d25
-
SSDEEP
3072:ogO8Ng8VvnvhcZcqfVwuS1glK8CjB0jmUJXRnLuJuq77i28W:ogng8VCZ59/rKtjTUPuJPJT
Score10/10-
Detect XtremeRAT payload
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload
-
Isrstealer family
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2