General
-
Target
3e7a110831308033d6d24ae4c58b5932_JaffaCakes118
-
Size
108KB
-
Sample
240712-xh7bbayakc
-
MD5
3e7a110831308033d6d24ae4c58b5932
-
SHA1
d768d64494e7d07a02c99d03fa3c9dec4ce8fa4b
-
SHA256
189d6de846b6b866c72384f6dc3f813b482df5ff6145dda1e096f867bc7b8eda
-
SHA512
74f77753edc22279fa657a40297202c9d24139612a7f3ab0d9b05e3f29c50a7db968a58aa070940b35aef6a8fbfce6c33af7a830dc19f3a08279fa5bd4e754d1
-
SSDEEP
768:BsvAkSb0Uj/VT2EQg5yY28Zns5BnzI+47rmdN/xqgMg46oDUn/lahGNgFQ+v+IYw:OvA1pI8ZIBzIL74xqg86oe/lm7FuF
Static task
static1
Behavioral task
behavioral1
Sample
3e7a110831308033d6d24ae4c58b5932_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
3e7a110831308033d6d24ae4c58b5932_JaffaCakes118.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
xtremerat
ayada.dyndns.biz
Targets
-
-
Target
3e7a110831308033d6d24ae4c58b5932_JaffaCakes118
-
Size
108KB
-
MD5
3e7a110831308033d6d24ae4c58b5932
-
SHA1
d768d64494e7d07a02c99d03fa3c9dec4ce8fa4b
-
SHA256
189d6de846b6b866c72384f6dc3f813b482df5ff6145dda1e096f867bc7b8eda
-
SHA512
74f77753edc22279fa657a40297202c9d24139612a7f3ab0d9b05e3f29c50a7db968a58aa070940b35aef6a8fbfce6c33af7a830dc19f3a08279fa5bd4e754d1
-
SSDEEP
768:BsvAkSb0Uj/VT2EQg5yY28Zns5BnzI+47rmdN/xqgMg46oDUn/lahGNgFQ+v+IYw:OvA1pI8ZIBzIL74xqg86oe/lm7FuF
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-