General
-
Target
32865658e843d2713fd2b906cf75e705_JaffaCakes118
-
Size
135KB
-
Sample
241011-azvmhs1bkr
-
MD5
32865658e843d2713fd2b906cf75e705
-
SHA1
2af29c880a4651206f39330a342c8890fc318b50
-
SHA256
a5f705b4d0aa01fa095ee9a720cb9499548c6d704e73c205f4353462ab770931
-
SHA512
0b3c36bcd288a42d9fe102bf024e05baa944b456b4a5441d127cae014b2279986d8bf72aa236f7c620ef9e8774aa3e2460a05d5ac6e891d287775af25cda2a9b
-
SSDEEP
3072:b1dlKwgj23+Oz05YoNozsp33I/X809Lb7EFo6LLfk:b1dlZro5yA34M09LH2rvfk
Static task
static1
Behavioral task
behavioral1
Sample
32865658e843d2713fd2b906cf75e705_JaffaCakes118.exe
Resource
win7-20240903-en
Malware Config
Extracted
xtremerat
v0idhack.no-ip.biz
Targets
-
-
Target
32865658e843d2713fd2b906cf75e705_JaffaCakes118
-
Size
135KB
-
MD5
32865658e843d2713fd2b906cf75e705
-
SHA1
2af29c880a4651206f39330a342c8890fc318b50
-
SHA256
a5f705b4d0aa01fa095ee9a720cb9499548c6d704e73c205f4353462ab770931
-
SHA512
0b3c36bcd288a42d9fe102bf024e05baa944b456b4a5441d127cae014b2279986d8bf72aa236f7c620ef9e8774aa3e2460a05d5ac6e891d287775af25cda2a9b
-
SSDEEP
3072:b1dlKwgj23+Oz05YoNozsp33I/X809Lb7EFo6LLfk:b1dlZro5yA34M09LH2rvfk
-
Detect XtremeRAT payload
-
Modifies WinLogon for persistence
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1