General
-
Target
ea9b49ec23588866cdfcf6b26e8086be_JaffaCakes118
-
Size
188KB
-
Sample
240919-fbwska1hll
-
MD5
ea9b49ec23588866cdfcf6b26e8086be
-
SHA1
5c66ec98a245b743da2b03103a613184f9b3f19d
-
SHA256
4a9c4a6c3cec852f026021a0fa74449b5919c3c4d8e425215510e66d071687de
-
SHA512
4f6bf6503cb79fc8599cb309ff6f1a016ab0e3378ef92839ebb94f0f7f8e373e847e0c7e057c9d03397af28b4e455d0f1c64c06c0236e7e28e9fa09b4674b388
-
SSDEEP
1536:nOlUIsOmCsNjyEBiMTq+ue3guzsUJaWFJu3:nkxMZRTq43guPJaWi3
Malware Config
Targets
-
-
Target
ea9b49ec23588866cdfcf6b26e8086be_JaffaCakes118
-
Size
188KB
-
MD5
ea9b49ec23588866cdfcf6b26e8086be
-
SHA1
5c66ec98a245b743da2b03103a613184f9b3f19d
-
SHA256
4a9c4a6c3cec852f026021a0fa74449b5919c3c4d8e425215510e66d071687de
-
SHA512
4f6bf6503cb79fc8599cb309ff6f1a016ab0e3378ef92839ebb94f0f7f8e373e847e0c7e057c9d03397af28b4e455d0f1c64c06c0236e7e28e9fa09b4674b388
-
SSDEEP
1536:nOlUIsOmCsNjyEBiMTq+ue3guzsUJaWFJu3:nkxMZRTq43guPJaWi3
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1