General
-
Target
351c5d3f4ad16a00636b6f4121ad6198_JaffaCakes118
-
Size
221KB
-
Sample
240710-rsz24ashqp
-
MD5
351c5d3f4ad16a00636b6f4121ad6198
-
SHA1
627eb7eca4119da150ae860e56c554ddf361c8dc
-
SHA256
35390d60f4b4adb5c015137b8831c74dac5d06c1a211635faf89fc3cde4b1e69
-
SHA512
83633ef8e7ef6a69437260466833a6f188707d0bb6d18ded139aa19a3a12559d965721124307edcbc39670804b58766624a4d9df754d1df3c8fb017622ae0780
-
SSDEEP
6144:yxXUMzzCyMIBlhcODcnVW5GJZ2tNYLj8MfsQxuMGkk:yBk1oDUVzYKj86sQykk
Static task
static1
Behavioral task
behavioral1
Sample
351c5d3f4ad16a00636b6f4121ad6198_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
351c5d3f4ad16a00636b6f4121ad6198_JaffaCakes118.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
xtremerat
tornadozz.no-ip.org
Targets
-
-
Target
351c5d3f4ad16a00636b6f4121ad6198_JaffaCakes118
-
Size
221KB
-
MD5
351c5d3f4ad16a00636b6f4121ad6198
-
SHA1
627eb7eca4119da150ae860e56c554ddf361c8dc
-
SHA256
35390d60f4b4adb5c015137b8831c74dac5d06c1a211635faf89fc3cde4b1e69
-
SHA512
83633ef8e7ef6a69437260466833a6f188707d0bb6d18ded139aa19a3a12559d965721124307edcbc39670804b58766624a4d9df754d1df3c8fb017622ae0780
-
SSDEEP
6144:yxXUMzzCyMIBlhcODcnVW5GJZ2tNYLj8MfsQxuMGkk:yBk1oDUVzYKj86sQykk
-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-