Extracted

Extracted

• • Target

    a91a9b39b94464b44184730ddf5c9ea2_JaffaCakes118

  • Size

    3.9MB

  • MD5

    a91a9b39b94464b44184730ddf5c9ea2

  • SHA1

    0a07247bf87258f8205f6380819086f0c22d081d

  • SHA256

    a58eb70c9e826fad3872d70134cb945ef72d0865407b066090408cce53a38b23

  • SHA512

    3d4bdf2a1745f19d350f0b83d2491d155b3256ca5fe2e74a02bfcc099e906d90f6e1fdcecf13bdeb9689518ddde31584fa85b68c1bfb1b0f40e637440d698e26

  • SSDEEP

    98304:eBXC0RWM6bbpdl6Jz1leThe1hJKS3cTcKlEJZL9TAgAI:elCHM6bbLl6JZlKheJKSMcDZL9TAA

  Score

  10^/10

  xtremerataspackv2bootkitdiscoveryevasionpersistencephishingratspywarestealertrojan

  • Detect XtremeRAT payload

  • Modifies WinLogon for persistence

    persistence

  • UAC bypass

    evasiontrojan

  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat

  • Xtremerat family

    xtremerat

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • A potential corporate email address has been identified in the URL: [email protected]

    phishing

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2