General
-
Target
64c1988c983d043a875591cb3fb42028_JaffaCakes118
-
Size
21KB
-
Sample
241021-abqnnazbqr
-
MD5
64c1988c983d043a875591cb3fb42028
-
SHA1
d80fa9df4089b36ee7e124d5876e8c50f1ee8785
-
SHA256
986255900be2eb56376108711208fd1806fd2f6ccc82078402788fa4d32f0757
-
SHA512
219a4844dce632994c479324c47c59318b35d03a86be975c079b7216e8f5de64c82687f2991bb54347d8f7e4f44d4d432654a2e17c8393f536af3dfbcb18ad54
-
SSDEEP
384:rHIdmF+Ti213fEF9QZd/cBr5M/gOjkaS4s/1k5YiZNl0tpQtXbidfhO8dpLR:TIsF81fG9QveLOYTe5YicpQZi9hO8h
Behavioral task
behavioral1
Sample
64c1988c983d043a875591cb3fb42028_JaffaCakes118.exe
Resource
win7-20240903-en
Malware Config
Extracted
xtremerat
safo19.no-ip.biz
Targets
-
-
Target
64c1988c983d043a875591cb3fb42028_JaffaCakes118
-
Size
21KB
-
MD5
64c1988c983d043a875591cb3fb42028
-
SHA1
d80fa9df4089b36ee7e124d5876e8c50f1ee8785
-
SHA256
986255900be2eb56376108711208fd1806fd2f6ccc82078402788fa4d32f0757
-
SHA512
219a4844dce632994c479324c47c59318b35d03a86be975c079b7216e8f5de64c82687f2991bb54347d8f7e4f44d4d432654a2e17c8393f536af3dfbcb18ad54
-
SSDEEP
384:rHIdmF+Ti213fEF9QZd/cBr5M/gOjkaS4s/1k5YiZNl0tpQtXbidfhO8dpLR:TIsF81fG9QveLOYTe5YicpQZi9hO8h
-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1