Overview

overview

10

Static

static

3

27349ec56d...18.exe

windows7-x64

10

27349ec56d...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    27349ec56dfdeb0da9b7ef100311ae17_JaffaCakes118

  • Size

    253KB

  • Sample

    240705-3j8tes1gkf

  • MD5

    27349ec56dfdeb0da9b7ef100311ae17

  • SHA1

    362c24cadab0a21cfe81329e37318e08dd3f1703

  • SHA256

    4fc78706e08717c9d4d62d35f46af3efc6c72b6b363bd31f49aa8f51db0d2a60

  • SHA512

    621cf02469db0cd7fb5acb5ed0a0b586d0707ee14b84623feb58d4cffdeb0f31c1d8d8efa3560870ce4256762165bbe3dd592802ed830e209d65bcb31a196d53

  • SSDEEP

    6144:hZ4B+t9IZzf4U0X6YpA5sEOnGa2qnHWWjR:hSB+t2x4U0X6eZEYfHWWF

Score
10/10
xtremeratpersistenceratspyware

Malware Config

Extracted

Family

xtremerat

C2

yah0o.sytes.net

Targets

    • Target

      27349ec56dfdeb0da9b7ef100311ae17_JaffaCakes118

    • Size

      253KB

    • MD5

      27349ec56dfdeb0da9b7ef100311ae17

    • SHA1

      362c24cadab0a21cfe81329e37318e08dd3f1703

    • SHA256

      4fc78706e08717c9d4d62d35f46af3efc6c72b6b363bd31f49aa8f51db0d2a60

    • SHA512

      621cf02469db0cd7fb5acb5ed0a0b586d0707ee14b84623feb58d4cffdeb0f31c1d8d8efa3560870ce4256762165bbe3dd592802ed830e209d65bcb31a196d53

    • SSDEEP

      6144:hZ4B+t9IZzf4U0X6YpA5sEOnGa2qnHWWjR:hSB+t2x4U0X6eZEYfHWWF

    Score
    10/10
    xtremeratpersistenceratspyware

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

      persistencespywareratxtremerat

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Active Setup

1
T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Active Setup

1
T1547.014

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks