Extracted

• • Target

    40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118

  • Size

    1.0MB

  • MD5

    40d35f1f6e71d5be3166dead89573bc8

  • SHA1

    5f6291b39dac2622a6ea97fbad8a7d4235797178

  • SHA256

    771d7a35e4e0b3fa80116af4b5e80afaefd24244e586950fd064574a997f1d72

  • SHA512

    2116a68b554746ef5abc743b8f885956b2b6626b4358ffb36d069d834fd3dc1d3f0ec4c9ee455e01ee755d529cee1d83d3179130dc94fed244e3b258195df409

  • SSDEEP

    12288:wOqBSe3b7MFJb7Mtx45EACL9NZ8JZi6MPNUp/musajK9I1yG88F+Nqhs:RCStUM5qjZQi6SNesajK9I1i8Frm

  Score

  10^/10

  xtremeratdiscoverypersistenceratspywareupx

  • Detect XtremeRAT payload

  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2