General

  • Target

    d9e50d97d75a492b9fd6bb4339d63504_JaffaCakes118

  • Size

    68KB

  • Sample

    241209-qz3k5azkaw

  • MD5

    d9e50d97d75a492b9fd6bb4339d63504

  • SHA1

    1ab542952af689f831167e82cfcd8a11a9e2ee88

  • SHA256

    ef395cb6faa5c2fe64e240dbdbf31b691ef599df24273114cb37eac97a114c7b

  • SHA512

    102fecfae132ab138ce218536c542feb467138760ac754707fabb9798c80c3d05cf1bfec0fabcd2b8b03e78fbd519d2f15dc1aaa6ac5ab6a6b4056b86c179ab3

  • SSDEEP

    1536:RW53nN1goS/TLsy5iD4QHjN8qR58Pc48U:RAgLsnD4QHjeqRyc48U

Malware Config

Targets

    • Target

      d9e50d97d75a492b9fd6bb4339d63504_JaffaCakes118

    • Size

      68KB

    • MD5

      d9e50d97d75a492b9fd6bb4339d63504

    • SHA1

      1ab542952af689f831167e82cfcd8a11a9e2ee88

    • SHA256

      ef395cb6faa5c2fe64e240dbdbf31b691ef599df24273114cb37eac97a114c7b

    • SHA512

      102fecfae132ab138ce218536c542feb467138760ac754707fabb9798c80c3d05cf1bfec0fabcd2b8b03e78fbd519d2f15dc1aaa6ac5ab6a6b4056b86c179ab3

    • SSDEEP

      1536:RW53nN1goS/TLsy5iD4QHjN8qR58Pc48U:RAgLsnD4QHjeqRyc48U

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Xtremerat family

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks