General
-
Target
JaffaCakes118_0c3d6015258781a207d73c1f19fc34f3
-
Size
207KB
-
Sample
250220-rdxnesyjv3
-
MD5
0c3d6015258781a207d73c1f19fc34f3
-
SHA1
e276fae63c066f23e8a14b5673b5f1e7446828fb
-
SHA256
59f676cd87c98c5efed6e3aa28d31d552fbce1277d24d4b6f2748d339f84b17f
-
SHA512
0820b00df84b0640fb05cd4d85b40aade69efb6ee678ae9155deb79ff854fd497d6c8399e929fef98e559257196d1facd2441e279ab569f0512d53eac084acd3
-
SSDEEP
3072:E1dlKwgj23+Oz05YoNozHCzrQnwO0tZCZ7fEJMVxwnfLRf6eNqu5bYMO:E1dlZro5yHn+toZ7fEJYxwfNf/NquO
Malware Config
Extracted
xtremerat
winupdat.no-ip.org
Targets
-
-
Target
JaffaCakes118_0c3d6015258781a207d73c1f19fc34f3
-
Size
207KB
-
MD5
0c3d6015258781a207d73c1f19fc34f3
-
SHA1
e276fae63c066f23e8a14b5673b5f1e7446828fb
-
SHA256
59f676cd87c98c5efed6e3aa28d31d552fbce1277d24d4b6f2748d339f84b17f
-
SHA512
0820b00df84b0640fb05cd4d85b40aade69efb6ee678ae9155deb79ff854fd497d6c8399e929fef98e559257196d1facd2441e279ab569f0512d53eac084acd3
-
SSDEEP
3072:E1dlKwgj23+Oz05YoNozHCzrQnwO0tZCZ7fEJMVxwnfLRf6eNqu5bYMO:E1dlZro5yHn+toZ7fEJYxwfNf/NquO
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2