General
-
Target
a828e47d1bda403ab9a7d26381f1de30_JaffaCakes118
-
Size
151KB
-
Sample
241127-q8pqmawlev
-
MD5
a828e47d1bda403ab9a7d26381f1de30
-
SHA1
3c1267eb0e5e2b539a50c0f8b69f47bbd59d2063
-
SHA256
d87e3f57e558912eb63cedc9246030a9c5f968ceff5d9ae73912e84b83308780
-
SHA512
950384bd08d349aa5186ca3713b38ad5eef0697623d150e0f64f3b3c70691f62711ad9793df414909d08f8e40b5a4325061b39e1007e365d71f987469240b71f
-
SSDEEP
3072:QdXFWBmsMv2tqVZLdrz7MUCiXizOHielQwX3FuoWtjk:QfrsRtU7JwzRe1lu1V
Malware Config
Targets
-
-
Target
a828e47d1bda403ab9a7d26381f1de30_JaffaCakes118
-
Size
151KB
-
MD5
a828e47d1bda403ab9a7d26381f1de30
-
SHA1
3c1267eb0e5e2b539a50c0f8b69f47bbd59d2063
-
SHA256
d87e3f57e558912eb63cedc9246030a9c5f968ceff5d9ae73912e84b83308780
-
SHA512
950384bd08d349aa5186ca3713b38ad5eef0697623d150e0f64f3b3c70691f62711ad9793df414909d08f8e40b5a4325061b39e1007e365d71f987469240b71f
-
SSDEEP
3072:QdXFWBmsMv2tqVZLdrz7MUCiXizOHielQwX3FuoWtjk:QfrsRtU7JwzRe1lu1V
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1