General
-
Target
40e6e9ecc4f712d2f625d4b2120d286e_JaffaCakes118
-
Size
348KB
-
Sample
240713-j8bqfatcmm
-
MD5
40e6e9ecc4f712d2f625d4b2120d286e
-
SHA1
c2e25563fd71e25418f657d24cc49f46f6ea4061
-
SHA256
5f356d778847c66a524d70c27a22ad86a93f8b78dba51edcc4af7da0129a55a6
-
SHA512
6e3d644361f83a47f9abeeb963ede36984c3a634ffc3f783ba2daa866198ba3dca0de9bf564ff1e038436d94528ef34e8636e6ee59df93f5efd550a8ff429900
-
SSDEEP
6144:qKRh1JKs9WlqIBn06LcGf5Cwth36oOcB8E8BLwGy6pFPinXjW5Cc4/TievpcatOL:vRh1JKuWlqIBngGf5Ft16oB8NBLwGy6N
Static task
static1
Behavioral task
behavioral1
Sample
40e6e9ecc4f712d2f625d4b2120d286e_JaffaCakes118.exe
Resource
win7-20240704-en
Malware Config
Extracted
xtremerat
偌schalfer.no-ip.org
Targets
-
-
Target
40e6e9ecc4f712d2f625d4b2120d286e_JaffaCakes118
-
Size
348KB
-
MD5
40e6e9ecc4f712d2f625d4b2120d286e
-
SHA1
c2e25563fd71e25418f657d24cc49f46f6ea4061
-
SHA256
5f356d778847c66a524d70c27a22ad86a93f8b78dba51edcc4af7da0129a55a6
-
SHA512
6e3d644361f83a47f9abeeb963ede36984c3a634ffc3f783ba2daa866198ba3dca0de9bf564ff1e038436d94528ef34e8636e6ee59df93f5efd550a8ff429900
-
SSDEEP
6144:qKRh1JKs9WlqIBn06LcGf5Cwth36oOcB8E8BLwGy6pFPinXjW5Cc4/TievpcatOL:vRh1JKuWlqIBngGf5Ft16oB8NBLwGy6N
-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-