General
-
Target
JaffaCakes118_09e80c7246e970032b1c8fb0fcd9ded4
-
Size
668KB
-
Sample
250220-f5ljpaxpcp
-
MD5
09e80c7246e970032b1c8fb0fcd9ded4
-
SHA1
534012a13b5e523128a2acee591aff057cf2d798
-
SHA256
7981d1d59a3d2328fa24c378de5ded0f1605764e58910fe9c82a91d544c381aa
-
SHA512
a7ba8fec81432e77c4e381dba1482e9c45519a8d39f3fc445896a9b75d2cb073b57bcda2e6aaa804138a20564791d48920b65a586b59356ab4934900a623bb63
-
SSDEEP
12288:AOqBS5JJ/+EkGz1lr3nxGteN4r3t8UOGz624SitfLmygYkvOW:hCSYE7z193Rit8UJ62BmhgVvOW
Malware Config
Extracted
xtremerat
sweetma198.no-ip.info
Targets
-
-
Target
JaffaCakes118_09e80c7246e970032b1c8fb0fcd9ded4
-
Size
668KB
-
MD5
09e80c7246e970032b1c8fb0fcd9ded4
-
SHA1
534012a13b5e523128a2acee591aff057cf2d798
-
SHA256
7981d1d59a3d2328fa24c378de5ded0f1605764e58910fe9c82a91d544c381aa
-
SHA512
a7ba8fec81432e77c4e381dba1482e9c45519a8d39f3fc445896a9b75d2cb073b57bcda2e6aaa804138a20564791d48920b65a586b59356ab4934900a623bb63
-
SSDEEP
12288:AOqBS5JJ/+EkGz1lr3nxGteN4r3t8UOGz624SitfLmygYkvOW:hCSYE7z193Rit8UJ62BmhgVvOW
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1