General

  • Target

    d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118

  • Size

    699KB

  • Sample

    241208-mjhn8s1kdv

  • MD5

    d69477dcdd44d6f9d0102329894a9d9c

  • SHA1

    123ee34e12767a0a5fbbf132a32321cdf3dbbae0

  • SHA256

    ef9ec4742f12bf579efb7d36c3d645fba6d67b91272ee5b34952c25184f0afd6

  • SHA512

    5b92c34293bdbad140450ed4732710ab9b5a4d25f45034f8a754cfb0bd55d7b24059c46cc8465786283a5124b88cc154d0840205023119271334dc0058a0781f

  • SSDEEP

    12288:q/ezny90hw8BFyqXTS1jMeo5DKI4EZNYbaDY9wL:lnyww8BFyqjSMb4aNnMW

Malware Config

Extracted

Family

xtremerat

C2

dejoui2.no-ip.info

Targets

    • Target

      d69477dcdd44d6f9d0102329894a9d9c_JaffaCakes118

    • Size

      699KB

    • MD5

      d69477dcdd44d6f9d0102329894a9d9c

    • SHA1

      123ee34e12767a0a5fbbf132a32321cdf3dbbae0

    • SHA256

      ef9ec4742f12bf579efb7d36c3d645fba6d67b91272ee5b34952c25184f0afd6

    • SHA512

      5b92c34293bdbad140450ed4732710ab9b5a4d25f45034f8a754cfb0bd55d7b24059c46cc8465786283a5124b88cc154d0840205023119271334dc0058a0781f

    • SSDEEP

      12288:q/ezny90hw8BFyqXTS1jMeo5DKI4EZNYbaDY9wL:lnyww8BFyqjSMb4aNnMW

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Xtremerat family

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks