Extracted

Extracted

• • Target

    f0a5c81459868d6ce0c3b03c5c84a7e9_JaffaCakes118

  • Size

    1.3MB

  • MD5

    f0a5c81459868d6ce0c3b03c5c84a7e9

  • SHA1

    55a18bdf5366628676b9b9f29a65acd4de117d4b

  • SHA256

    2c48ba33ed8578db8e607267c12c2cbe1f07052d3baf70324e50dca5e39cb8d1

  • SHA512

    fc0ac0ff749070d3feaf66a83d3ddb1c4f4e453da4ae9e03cf6c95e5c0898fb57e172b11e112fd97bc8bba783736a886c6e560a1219a45c92a262490a198cf4b

  • SSDEEP

    24576:OIKi6LC+juonYOai3AVQwyO5bzgZhYcUy2UV8UA7JypaZ4q1VEx:d7UCTZOt3AVrySbUDuUGZP

  Score

  10^/10

  adwindlokibotxtremeratcollectioncredential_accessdiscoverypersistenceratspywarestealertrojan

  • AdWind

    A Java-based RAT family operated as malware-as-a-service.

    trojanadwind

  • Class file contains resources related to AdWind

  • Detect XtremeRAT payload

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot

  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2