General
-
Target
ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118
-
Size
226KB
-
Sample
240410-jmha4abf8v
-
MD5
ea95c71d3c8f55d6a51ae43dd9cde9d9
-
SHA1
25460dbd2c7e996de80285971e787fb83e38d32e
-
SHA256
1aa75d1bfc89d1efdf0ee23cf3ba489d95d0fc73d1fb43358b3aa7e416b89536
-
SHA512
789a95758a1a7b680bdeb0a169834406fc68e14e9063bf6fe897ca1fb19d4b6628464a674aa9f6e0a65eff5ebeb8762ace692cd46fc39a3cb21de2ae91e77e60
-
SSDEEP
6144:J9evRcgVy2FIMB4TyQOI5JgpcvqNplce+f+hU5P4g0oa:J46gVPOT0Iw5preDk
Static task
static1
Behavioral task
behavioral1
Sample
ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
xtremerat
a411.no-ip.info
Targets
-
-
Target
ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118
-
Size
226KB
-
MD5
ea95c71d3c8f55d6a51ae43dd9cde9d9
-
SHA1
25460dbd2c7e996de80285971e787fb83e38d32e
-
SHA256
1aa75d1bfc89d1efdf0ee23cf3ba489d95d0fc73d1fb43358b3aa7e416b89536
-
SHA512
789a95758a1a7b680bdeb0a169834406fc68e14e9063bf6fe897ca1fb19d4b6628464a674aa9f6e0a65eff5ebeb8762ace692cd46fc39a3cb21de2ae91e77e60
-
SSDEEP
6144:J9evRcgVy2FIMB4TyQOI5JgpcvqNplce+f+hU5P4g0oa:J46gVPOT0Iw5preDk
-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-