General
-
Target
JaffaCakes118_d32f255d97717b3cffcabf0eb5b1055e
-
Size
295KB
-
Sample
250209-yxtjfa1nf1
-
MD5
d32f255d97717b3cffcabf0eb5b1055e
-
SHA1
eb4ec8ed7423fd10223303c8d6bfecc31d901474
-
SHA256
60c0eaaa8196c1d92c93a7e5650ab5b0d7f0df9f5c80f77b62ad8d347962ba02
-
SHA512
7d1c3df5add5e2a9b9564448b31e1845e24a8750738f9be67618265fa46018a87e90827d20d8745593b6a9faed6454d947f9f634c9ebf91304a420a1f22c1a7e
-
SSDEEP
3072:0yxfTVbmdCqmpESxQfPNm83OAlKpKj6gskjXsCqIlgFlAYUx571O9vuAuLiKLilZ:0gVqmpES6Nn3WngoCj6S51OtFuZGl
Malware Config
Extracted
xtremerat
youtube-test.zapto.org
Targets
-
-
Target
JaffaCakes118_d32f255d97717b3cffcabf0eb5b1055e
-
Size
295KB
-
MD5
d32f255d97717b3cffcabf0eb5b1055e
-
SHA1
eb4ec8ed7423fd10223303c8d6bfecc31d901474
-
SHA256
60c0eaaa8196c1d92c93a7e5650ab5b0d7f0df9f5c80f77b62ad8d347962ba02
-
SHA512
7d1c3df5add5e2a9b9564448b31e1845e24a8750738f9be67618265fa46018a87e90827d20d8745593b6a9faed6454d947f9f634c9ebf91304a420a1f22c1a7e
-
SSDEEP
3072:0yxfTVbmdCqmpESxQfPNm83OAlKpKj6gskjXsCqIlgFlAYUx571O9vuAuLiKLilZ:0gVqmpES6Nn3WngoCj6S51OtFuZGl
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1