General
-
Target
JaffaCakes118_78da53408cd673fd3051565f8e6ba720
-
Size
95KB
-
Sample
250104-k5k1dasqcv
-
MD5
78da53408cd673fd3051565f8e6ba720
-
SHA1
ffbd94e0763ba9ae7ad39fd0cb0f290b9c587a43
-
SHA256
b58cdf6d969afb01e8cf4ebd21b01b53ad0ea53b1d0d8126bf7ba4ca655ab3e9
-
SHA512
8cc107bad54ceebd5c5599115737ef53f688d8ffd26aad61227b5a6da3858b64da778ee3f8bf1313ec0c5eafc8a60aa8cc84efc8b1d0d09339c80bf8ed2cf4fb
-
SSDEEP
1536:8x70xyGJ2d0OA8Fgw3DFhBrtouYsn70vQviEcXJ4s:8axf2d2jwzRpouYsLi5p
Malware Config
Extracted
xtremerat
kirr.no-ip.biz
洕ዿ言C:\Windima7.no-ip.info
dee46ndal.no-ip.biz
Targets
-
-
Target
JaffaCakes118_78da53408cd673fd3051565f8e6ba720
-
Size
95KB
-
MD5
78da53408cd673fd3051565f8e6ba720
-
SHA1
ffbd94e0763ba9ae7ad39fd0cb0f290b9c587a43
-
SHA256
b58cdf6d969afb01e8cf4ebd21b01b53ad0ea53b1d0d8126bf7ba4ca655ab3e9
-
SHA512
8cc107bad54ceebd5c5599115737ef53f688d8ffd26aad61227b5a6da3858b64da778ee3f8bf1313ec0c5eafc8a60aa8cc84efc8b1d0d09339c80bf8ed2cf4fb
-
SSDEEP
1536:8x70xyGJ2d0OA8Fgw3DFhBrtouYsn70vQviEcXJ4s:8axf2d2jwzRpouYsLi5p
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1SIP and Trust Provider Hijacking
1