Extracted

• • Target

    961a8521cce79a46a60744ab54b754b8_JaffaCakes118

  • Size

    1.3MB

  • MD5

    961a8521cce79a46a60744ab54b754b8

  • SHA1

    685d5847d3ee7b924753b2a52a784305e440e8a3

  • SHA256

    89ea1713321fbd890802d9515c1d919ad38b03f89efa8a1783bacd6af51d06e5

  • SHA512

    ff5213341f112192c10481342b1e1495951e68924a79782e60751fae10148b60122171185ef11a87d65655d7fe4fcbb0eb3dcbcfa20a3bcd7bc194e9772f79fe

  • SSDEEP

    24576:0SeKtzMR45AKKp6fI/XzRaMbh9wXOeVB3zwrXTGwqhTvm3TdTMd5:mRjK6WkxhreVRzwrXDq1m3T1Md5

  Score

  10^/10

  xtremeratdiscoverypersistenceratspyware

  • Detect XtremeRAT payload

  • Modifies WinLogon for persistence

    persistence

  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat

  • Xtremerat family

    xtremerat

  • Adds policy Run key to start application

    persistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2