General

  • Target

    d1cd48a7c5003ad9ff1e68abf3017daf_JaffaCakes118

  • Size

    243KB

  • Sample

    241207-lrcyaaxjct

  • MD5

    d1cd48a7c5003ad9ff1e68abf3017daf

  • SHA1

    0d1d2552a590be57b047a90fa8a9eaa7b06023bc

  • SHA256

    be002eb43f0f92b945b58edea0413cc09a7e3f3fcaaae8040306f63381def05a

  • SHA512

    a22ec4e622cc826a6018f140402aae7fd05e19544d023458321189685d455f783889e5aaaff8fcbc329ab08eddd31874e4f5c453bba6758b5d8fb778d3a211f4

  • SSDEEP

    3072:XFd2Afoka0uMMGYmKlMCJ+UrxkCkK9a7+Z3wCYdj8vK1HDvhk1eSkDyfCnewUmGr:1jQwuYKs7M3jvEu1nkaCneT3NmEQ2

Malware Config

Extracted

Family

xtremerat

C2

umtakcicek.dyndns.org

ࠁ谀umtakcicek.dyndns.org

Targets

    • Target

      d1cd48a7c5003ad9ff1e68abf3017daf_JaffaCakes118

    • Size

      243KB

    • MD5

      d1cd48a7c5003ad9ff1e68abf3017daf

    • SHA1

      0d1d2552a590be57b047a90fa8a9eaa7b06023bc

    • SHA256

      be002eb43f0f92b945b58edea0413cc09a7e3f3fcaaae8040306f63381def05a

    • SHA512

      a22ec4e622cc826a6018f140402aae7fd05e19544d023458321189685d455f783889e5aaaff8fcbc329ab08eddd31874e4f5c453bba6758b5d8fb778d3a211f4

    • SSDEEP

      3072:XFd2Afoka0uMMGYmKlMCJ+UrxkCkK9a7+Z3wCYdj8vK1HDvhk1eSkDyfCnewUmGr:1jQwuYKs7M3jvEu1nkaCneT3NmEQ2

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Xtremerat family

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks