General
-
Target
f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118
-
Size
794KB
-
Sample
240418-bnrxxsgb8x
-
MD5
f6fb5d75bf7566772a043526fc3a2508
-
SHA1
96bf4f9f083d3e290356fc9fc652fd10ea979997
-
SHA256
f9a216ea7cad2d3b950157140054a44be53208dadfb2cf370750e1d1b11ae3c9
-
SHA512
83a0cc2d06a7a76b40b601cbc667d00c7c9e977b2472258019dd30fb7d7604af6f58bd80655dc1789077f72e275a9b94eb98f90f98f54dfa3dc10ed024a4ecb0
-
SSDEEP
12288:FnQSEnzQ6FcnUqma7elTcqifgMUAzx7uokpnelS2RKFn9ReDxSbsOCSsuZ:JuzQq6UqwlTcqY7epnePd81NZ
Static task
static1
Behavioral task
behavioral1
Sample
f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
xtremerat
3r9-99.no-ip.org
Targets
-
-
Target
f6fb5d75bf7566772a043526fc3a2508_JaffaCakes118
-
Size
794KB
-
MD5
f6fb5d75bf7566772a043526fc3a2508
-
SHA1
96bf4f9f083d3e290356fc9fc652fd10ea979997
-
SHA256
f9a216ea7cad2d3b950157140054a44be53208dadfb2cf370750e1d1b11ae3c9
-
SHA512
83a0cc2d06a7a76b40b601cbc667d00c7c9e977b2472258019dd30fb7d7604af6f58bd80655dc1789077f72e275a9b94eb98f90f98f54dfa3dc10ed024a4ecb0
-
SSDEEP
12288:FnQSEnzQ6FcnUqma7elTcqifgMUAzx7uokpnelS2RKFn9ReDxSbsOCSsuZ:JuzQq6UqwlTcqY7epnePd81NZ
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-