General
-
Target
5a8ffde10aa99fe1da4a56fada54d917_JaffaCakes118
-
Size
47KB
-
Sample
240719-fnbcdsxcje
-
MD5
5a8ffde10aa99fe1da4a56fada54d917
-
SHA1
915cb298fd128875abc1b02f606bd554403ff79e
-
SHA256
f09f5737cc736ac13fe222e21d802729b1c9d212ab3b19f5bde6bea736799f95
-
SHA512
c6bb1c1ea4a59089177ffd525ae46ab61a5ea9deca2e1083d906ec7eb6c3047130002b1048156afed01b18ff8cd35ae3c905afa9d77aa0ede053362d643e8f47
-
SSDEEP
768:KhKi6vj0BATfZR3LYGJLydk8RgLHuANgJENrcxg+YDUyiJaHn5MAJwi/rgak9Dn7:KorkoRsG8dk8RqgJENrcC+YDUrg5bJw3
Behavioral task
behavioral1
Sample
5a8ffde10aa99fe1da4a56fada54d917_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5a8ffde10aa99fe1da4a56fada54d917_JaffaCakes118.exe
Resource
win10v2004-20240704-en
Malware Config
Extracted
xtremerat
fabhack.no-ip.org
Targets
-
-
Target
5a8ffde10aa99fe1da4a56fada54d917_JaffaCakes118
-
Size
47KB
-
MD5
5a8ffde10aa99fe1da4a56fada54d917
-
SHA1
915cb298fd128875abc1b02f606bd554403ff79e
-
SHA256
f09f5737cc736ac13fe222e21d802729b1c9d212ab3b19f5bde6bea736799f95
-
SHA512
c6bb1c1ea4a59089177ffd525ae46ab61a5ea9deca2e1083d906ec7eb6c3047130002b1048156afed01b18ff8cd35ae3c905afa9d77aa0ede053362d643e8f47
-
SSDEEP
768:KhKi6vj0BATfZR3LYGJLydk8RgLHuANgJENrcxg+YDUyiJaHn5MAJwi/rgak9Dn7:KorkoRsG8dk8RqgJENrcC+YDUrg5bJw3
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-