General
-
Target
JaffaCakes118_cbcb18b055500f3d2e0113cf0e14a7b4
-
Size
52KB
-
Sample
250119-s5pybsvlfj
-
MD5
cbcb18b055500f3d2e0113cf0e14a7b4
-
SHA1
960cc86d2c1d2fca09a97187139423e69702e369
-
SHA256
28b4a73687430cf137c73b9e33483c150d539f25089cf439c2644b588ad38e7c
-
SHA512
0a80e9b68ecb7f9c4613eb17fa7573b5234180ef06d9faa0917cca764d1f229caef36597588b860f8960d037e59f7a31a30fa9ceffcacd6ece84fa9e3521273d
-
SSDEEP
1536:j5pKykodYEopdFV7DHeR3xAjxdW8jZZGiFl:j5Pko3op1/Hw3xP890
Malware Config
Extracted
xtremerat
khaldoon.no-ip.org
Targets
-
-
Target
JaffaCakes118_cbcb18b055500f3d2e0113cf0e14a7b4
-
Size
52KB
-
MD5
cbcb18b055500f3d2e0113cf0e14a7b4
-
SHA1
960cc86d2c1d2fca09a97187139423e69702e369
-
SHA256
28b4a73687430cf137c73b9e33483c150d539f25089cf439c2644b588ad38e7c
-
SHA512
0a80e9b68ecb7f9c4613eb17fa7573b5234180ef06d9faa0917cca764d1f229caef36597588b860f8960d037e59f7a31a30fa9ceffcacd6ece84fa9e3521273d
-
SSDEEP
1536:j5pKykodYEopdFV7DHeR3xAjxdW8jZZGiFl:j5Pko3op1/Hw3xP890
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1