General
-
Target
3f3e33c26d70278d1fcebc64856d05e8_JaffaCakes118
-
Size
793KB
-
Sample
240712-25w63svcnl
-
MD5
3f3e33c26d70278d1fcebc64856d05e8
-
SHA1
42f2a40a727b58a8d50d74f27fd8432b8c571b63
-
SHA256
1d5a871ef2b2520762debaadff289f99eb901931c990e1f0d26e0f95efccb29e
-
SHA512
1b7b2f477825b8e083a7f0c76a8f4fa6c685bb9eee37e4672095693e12c1a8a6076785f31fd8ec980acec3dc39367e44eda79d660336a7380371faf9e061a6b3
-
SSDEEP
12288:LhhSJRyeHyKAhIV4IoSoJze68PvanRJkHVphYJGTaTFxfj5VtEByClkRqTzd:LqyeHypU4RJK007QGTojfjzw
Behavioral task
behavioral1
Sample
3f3e33c26d70278d1fcebc64856d05e8_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3f3e33c26d70278d1fcebc64856d05e8_JaffaCakes118.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
xtremerat
nerozhack.ddns.com.br
p ƒalonedevil.no-ip.org
gameszero.dyndns.org
Targets
-
-
Target
3f3e33c26d70278d1fcebc64856d05e8_JaffaCakes118
-
Size
793KB
-
MD5
3f3e33c26d70278d1fcebc64856d05e8
-
SHA1
42f2a40a727b58a8d50d74f27fd8432b8c571b63
-
SHA256
1d5a871ef2b2520762debaadff289f99eb901931c990e1f0d26e0f95efccb29e
-
SHA512
1b7b2f477825b8e083a7f0c76a8f4fa6c685bb9eee37e4672095693e12c1a8a6076785f31fd8ec980acec3dc39367e44eda79d660336a7380371faf9e061a6b3
-
SSDEEP
12288:LhhSJRyeHyKAhIV4IoSoJze68PvanRJkHVphYJGTaTFxfj5VtEByClkRqTzd:LqyeHypU4RJK007QGTojfjzw
-
Detect XtremeRAT payload
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
ModiLoader Second Stage
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1