Extracted

• • Target

    efff2fe18024a3094929186dca954315_JaffaCakes118

  • Size

    1.2MB

  • MD5

    efff2fe18024a3094929186dca954315

  • SHA1

    2ba5cea58730f11b9b7d3fb582db68dbc8d16ca4

  • SHA256

    7dd9bd66025b79a1392b928ff5e2b3a62335465ebeabcf72e426f5490bd207d1

  • SHA512

    0d1f99669047d6fa6e6614928ee467708a224bc1dc947982d356d007bb1ba24a65de832b6a0ef1b24b0dbc5c5e02a169bd4e8bd3bc3ee4366979ff0c1fe3f872

  • SSDEEP

    24576:LqyeHypU4RJK007QGTojfj7XuHtXJ9pcvyZSQYBWt:nIypK7JTkLa

  Score

  10^/10

  modiloaderxtremeratdiscoveryevasionpersistenceratspywaretrojanupx

  • Detect XtremeRAT payload

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • UAC bypass

    evasiontrojan

  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat

  • ModiLoader Second Stage

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2