General
-
Target
JaffaCakes118_bede504f34a28906459bb40b346a512c
-
Size
2.0MB
-
Sample
250208-etlvmswlel
-
MD5
bede504f34a28906459bb40b346a512c
-
SHA1
414431aa97798a7365008c720fbb9cc088e692b0
-
SHA256
72385796e68f246015c4204f3751ef4e8c4d8bb636fd7eeb16d4807f9d68b59f
-
SHA512
f571970313b0912c032cfb9a6b804cdbd75af540ac8562d25a6cc8085ac6f93fd7d42613ccaf99c4351a62cf74601c5e9b7bacc5f73d969c3bdf93f1b8f9445f
-
SSDEEP
49152:2SV3+XvHQ5LbvZMBalN7VBwQhnmCTtJ8Sv2LyFPXd3m:2SBSQ5Lbecl7wy/vJFPZm
Malware Config
Targets
-
-
Target
JaffaCakes118_bede504f34a28906459bb40b346a512c
-
Size
2.0MB
-
MD5
bede504f34a28906459bb40b346a512c
-
SHA1
414431aa97798a7365008c720fbb9cc088e692b0
-
SHA256
72385796e68f246015c4204f3751ef4e8c4d8bb636fd7eeb16d4807f9d68b59f
-
SHA512
f571970313b0912c032cfb9a6b804cdbd75af540ac8562d25a6cc8085ac6f93fd7d42613ccaf99c4351a62cf74601c5e9b7bacc5f73d969c3bdf93f1b8f9445f
-
SSDEEP
49152:2SV3+XvHQ5LbvZMBalN7VBwQhnmCTtJ8Sv2LyFPXd3m:2SBSQ5Lbecl7wy/vJFPZm
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1