General
-
Target
c84f1f50f835b553b0505e7c1a17d053_JaffaCakes118
-
Size
1.3MB
-
Sample
241205-smygrawldr
-
MD5
c84f1f50f835b553b0505e7c1a17d053
-
SHA1
8c1fb33748c6b56eae1b925aab3b278419bab13e
-
SHA256
bb77ccca5f9c6b8b65c80ffbf3f50623bbab0655e487a2c14e7b19c726eaf3e1
-
SHA512
c8eeeaf4e1f8262585732b088af33a731b028960e29d1864e48601bcf952745cc77e57d16692f7156cdba66acebc39272cbdcdbf2df675fcf43b2ec8612c367e
-
SSDEEP
24576:pRmJkcoQricOIQxiZY1WNjHPoccAe2HFPXEsx12KQUHYBR:mJZoQrbTFZY1WNzXpbWUH8
Static task
static1
Behavioral task
behavioral1
Sample
c84f1f50f835b553b0505e7c1a17d053_JaffaCakes118.exe
Resource
win7-20240903-en
Malware Config
Extracted
xtremerat
alano2013.no-ip.org
IP: 1gameszero.dyndns.org
Ągameszero.dyndns.org
Targets
-
-
Target
c84f1f50f835b553b0505e7c1a17d053_JaffaCakes118
-
Size
1.3MB
-
MD5
c84f1f50f835b553b0505e7c1a17d053
-
SHA1
8c1fb33748c6b56eae1b925aab3b278419bab13e
-
SHA256
bb77ccca5f9c6b8b65c80ffbf3f50623bbab0655e487a2c14e7b19c726eaf3e1
-
SHA512
c8eeeaf4e1f8262585732b088af33a731b028960e29d1864e48601bcf952745cc77e57d16692f7156cdba66acebc39272cbdcdbf2df675fcf43b2ec8612c367e
-
SSDEEP
24576:pRmJkcoQricOIQxiZY1WNjHPoccAe2HFPXEsx12KQUHYBR:mJZoQrbTFZY1WNzXpbWUH8
-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops file in Drivers directory
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1