General
-
Target
533806e2f69ffb75b1b78acc314bb5cb_JaffaCakes118
-
Size
188KB
-
Sample
240717-qwz1tswejb
-
MD5
533806e2f69ffb75b1b78acc314bb5cb
-
SHA1
10d63b50db8d033a99a2a45e6465666745a6258e
-
SHA256
7b55a2e21e74a9d370c3e11997dd08ab69e36ad053c8317373c6cfa41a14151f
-
SHA512
45222527e968a79e3fbf15f69e9cd9f3ae08cd29d7c7f9b33a2d694377e3a10aba237c11f690feefed429c8d1822760bbf2ec7191f755e9c9bffe662ae2e4ec5
-
SSDEEP
3072:uwxVMhOC/dTJbq91+mno3t4QZQ3rbfyUDZ0BTN73JceyuK/NXRX:uTfFJbRnOTrbfyUDC3n1KFt
Static task
static1
Behavioral task
behavioral1
Sample
533806e2f69ffb75b1b78acc314bb5cb_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
533806e2f69ffb75b1b78acc314bb5cb_JaffaCakes118.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
xtremerat
ak474.zapto.org
Targets
-
-
Target
533806e2f69ffb75b1b78acc314bb5cb_JaffaCakes118
-
Size
188KB
-
MD5
533806e2f69ffb75b1b78acc314bb5cb
-
SHA1
10d63b50db8d033a99a2a45e6465666745a6258e
-
SHA256
7b55a2e21e74a9d370c3e11997dd08ab69e36ad053c8317373c6cfa41a14151f
-
SHA512
45222527e968a79e3fbf15f69e9cd9f3ae08cd29d7c7f9b33a2d694377e3a10aba237c11f690feefed429c8d1822760bbf2ec7191f755e9c9bffe662ae2e4ec5
-
SSDEEP
3072:uwxVMhOC/dTJbq91+mno3t4QZQ3rbfyUDZ0BTN73JceyuK/NXRX:uTfFJbRnOTrbfyUDC3n1KFt
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1