General
-
Target
f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118
-
Size
93KB
-
Sample
240417-vytztage86
-
MD5
f64a83456bc601bb3aeebfdc6094057a
-
SHA1
dd117d3c5b1051c12abe3e521ac2c0e28caaa646
-
SHA256
121cf6c76608b2554ad1566c64ec8c0350d123b156cb8bd61fd7c35574958066
-
SHA512
42e791a94a22402ea428962888926cb086704d3c6888e9e12bd8f5ad2781bf9632cae1a6fd351795123c8d8bba83d8c8a4fab6c91a73508ba7927394d391789a
-
SSDEEP
1536:dOCc/KRA9EMj3IBAgVfiSTfSA8ZrggRK2AhFn+okzhF5mG4ffabCbn6cdsIlU7K+:dOCcCRjMkAgVfLTfx6rgeq8L5F0fpnjO
Static task
static1
Behavioral task
behavioral1
Sample
f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
xtremerat
turkoteste.no-ip.org
Targets
-
-
Target
f64a83456bc601bb3aeebfdc6094057a_JaffaCakes118
-
Size
93KB
-
MD5
f64a83456bc601bb3aeebfdc6094057a
-
SHA1
dd117d3c5b1051c12abe3e521ac2c0e28caaa646
-
SHA256
121cf6c76608b2554ad1566c64ec8c0350d123b156cb8bd61fd7c35574958066
-
SHA512
42e791a94a22402ea428962888926cb086704d3c6888e9e12bd8f5ad2781bf9632cae1a6fd351795123c8d8bba83d8c8a4fab6c91a73508ba7927394d391789a
-
SSDEEP
1536:dOCc/KRA9EMj3IBAgVfiSTfSA8ZrggRK2AhFn+okzhF5mG4ffabCbn6cdsIlU7K+:dOCcCRjMkAgVfLTfx6rgeq8L5F0fpnjO
Score10/10-
Detect XtremeRAT payload
-
Modifies WinLogon for persistence
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-