General

  • Target

    e25a530a619d80f47c07859ffb30c461_JaffaCakes118

  • Size

    825KB

  • Sample

    241211-t734eavrdj

  • MD5

    e25a530a619d80f47c07859ffb30c461

  • SHA1

    6c4e028a9af10aeef790afb754e192ff4973d9a3

  • SHA256

    7508eac8f92a60b84e761d6cb54a6f6c64e8a026c10f96ee9e7165bc1b3f5381

  • SHA512

    51bcdbf9ffc6533e450de5147e4d0ae237121bc48b40f0a4be10b54e9c8ff63b84d3fb18a52e55b6a7a143f988265be67bf00586e3b2747b75ef8073c4f58c83

  • SSDEEP

    24576:2AojG2m6TtySYXU9/UwlPGhnxy4i9XCWsu5agFya3TphZo:A/PtySL9/UwluhnhuyWZagdTPZo

Malware Config

Extracted

Family

xtremerat

C2

jc9-hacker.no-ip.org

Targets

    • Target

      e25a530a619d80f47c07859ffb30c461_JaffaCakes118

    • Size

      825KB

    • MD5

      e25a530a619d80f47c07859ffb30c461

    • SHA1

      6c4e028a9af10aeef790afb754e192ff4973d9a3

    • SHA256

      7508eac8f92a60b84e761d6cb54a6f6c64e8a026c10f96ee9e7165bc1b3f5381

    • SHA512

      51bcdbf9ffc6533e450de5147e4d0ae237121bc48b40f0a4be10b54e9c8ff63b84d3fb18a52e55b6a7a143f988265be67bf00586e3b2747b75ef8073c4f58c83

    • SSDEEP

      24576:2AojG2m6TtySYXU9/UwlPGhnxy4i9XCWsu5agFya3TphZo:A/PtySL9/UwluhnhuyWZagdTPZo

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Xtremerat family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks