General
-
Target
9414d0122883037eb97e8f678de853a5_JaffaCakes118
-
Size
142KB
-
Sample
241124-mh2qqavqcz
-
MD5
9414d0122883037eb97e8f678de853a5
-
SHA1
9bf1b6c180885052dcbadde767ac07c8637fe4aa
-
SHA256
d4b3b42b4b08f3cfc8797e45d3d91901681bc4eff4a45e2254c4faa6820a21ca
-
SHA512
aba06c12a466950e787630dbc8a7597b12f2a1e370770f1d755d0d83c57213c85aaa3543002ffc068435c43fbf1c3fccb01c9a5c775a2569e747c833502ce062
-
SSDEEP
1536:ISU77zF16QvCkFbmn2DHXIe1M0OA8F8Two0zCf4O1LhrUaNXCkxop7P8KH90q:ISyCQvCkFbA72hl0zCA+LpE7EEf
Static task
static1
Behavioral task
behavioral1
Sample
9414d0122883037eb97e8f678de853a5_JaffaCakes118.exe
Resource
win7-20240903-en
Malware Config
Extracted
xtremerat
l1merain.zapto.org
Ⲥ漙m蠀C:\Windl1merain.zapto.org
C:\Usl1merain.zapto.org
Targets
-
-
Target
9414d0122883037eb97e8f678de853a5_JaffaCakes118
-
Size
142KB
-
MD5
9414d0122883037eb97e8f678de853a5
-
SHA1
9bf1b6c180885052dcbadde767ac07c8637fe4aa
-
SHA256
d4b3b42b4b08f3cfc8797e45d3d91901681bc4eff4a45e2254c4faa6820a21ca
-
SHA512
aba06c12a466950e787630dbc8a7597b12f2a1e370770f1d755d0d83c57213c85aaa3543002ffc068435c43fbf1c3fccb01c9a5c775a2569e747c833502ce062
-
SSDEEP
1536:ISU77zF16QvCkFbmn2DHXIe1M0OA8F8Two0zCf4O1LhrUaNXCkxop7P8KH90q:ISyCQvCkFbA72hl0zCA+LpE7EEf
-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1