General
-
Target
ab1286fa7650738e0b821bebf04ade41_JaffaCakes118
-
Size
4.8MB
-
Sample
240621-v3p7esydnh
-
MD5
ab1286fa7650738e0b821bebf04ade41
-
SHA1
3f839fa95db110d547592d1f8bd1ef359a9da4df
-
SHA256
18f99597514fed8f0218a32736d142c5038fd9a711a47c6aceb8b8ed39eae6dc
-
SHA512
db9a52c0634c1c32e4d2f99a75b703789e0f28de7a1095b660b03e70c780d34d96549aca51d982813fb18032b24edacb00609db3c7d1b58c09537c12b290fc3b
-
SSDEEP
24576:Vo2Yq+JFAA6MOrm/KPO/lYq0L0YPLU8OpRZvZLbU4lL525r2zjWYu7XZTj5Ilzrb:V6fyFq7vuINqd7M99/L
Malware Config
Extracted
xtremerat
iaficasioo.zapto.org
Targets
-
-
Target
ab1286fa7650738e0b821bebf04ade41_JaffaCakes118
-
Size
4.8MB
-
MD5
ab1286fa7650738e0b821bebf04ade41
-
SHA1
3f839fa95db110d547592d1f8bd1ef359a9da4df
-
SHA256
18f99597514fed8f0218a32736d142c5038fd9a711a47c6aceb8b8ed39eae6dc
-
SHA512
db9a52c0634c1c32e4d2f99a75b703789e0f28de7a1095b660b03e70c780d34d96549aca51d982813fb18032b24edacb00609db3c7d1b58c09537c12b290fc3b
-
SSDEEP
24576:Vo2Yq+JFAA6MOrm/KPO/lYq0L0YPLU8OpRZvZLbU4lL525r2zjWYu7XZTj5Ilzrb:V6fyFq7vuINqd7M99/L
Score10/10-
AdWind
A Java-based RAT family operated as malware-as-a-service.
-
Class file contains resources related to AdWind
-
Detect XtremeRAT payload
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
UAC bypass
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables Task Manager via registry modification
-
Disables use of System Restore points
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Event Triggered Execution
1Image File Execution Options Injection
1