Extracted

• • Target

    3d02e6931192b9bea60579a931148b18_JaffaCakes118

  • Size

    100KB

  • MD5

    3d02e6931192b9bea60579a931148b18

  • SHA1

    c6c618cf011fbe7961e2058f05eb85d86caaa1a1

  • SHA256

    dd58b13ca2153c0e00cffca4e293cdb9750b8f5bc3446a84f4c96d55f86ab82c

  • SHA512

    bc4ff80845102c852b60d21ee8f059da26eda150ff7f71eba745b0905c98d43096c6f9497b1145a3b80b2f551af5f29c3e16dd4f476257885b6ff37158edb9e2

  • SSDEEP

    1536:MqZotJJEtoB8NZojMB/x6/Fj/BPucceZcm/8hd0f1tYxG9:MqZ4UNZojMBktj8eZTPZ

  Score

  10^/10

  xtremeratdiscoveryevasionpersistenceratspywareupx

  • Detect XtremeRAT payload

  • Modifies WinLogon for persistence

    persistence

  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat

  • Adds policy Run key to start application

    persistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2