Extracted

• • Target

    JaffaCakes118_032687d100b775f3693d581156e20456

  • Size

    3.6MB

  • MD5

    032687d100b775f3693d581156e20456

  • SHA1

    41deda7622b2300396f3d236c29df5f696bb4503

  • SHA256

    a674a4a32f849cc121e6b872da5a793418de56a458e530b351a801ba6d6300f7

  • SHA512

    b1222c235d062dcd108d65acba6b05f5aae768530de86aca2077dd7785b07cf57d48df8207675a3280f9b8e2c4c7bc4d288f927dc6d8d06b4c9d2afbc6304f83

  • SSDEEP

    98304:Snsmtk2ajqXpy05Q0N1rsYSZ6BoXh1kkypSH3Oh5Bemg:cLT405QYtsTEB08T8HehLv

  Score

  10^/10

  xredbackdoordefense_evasiondiscoveryevasionpersistencespywarestealertrojanupx

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Modifies security service

    evasion

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred

  • Xred family

    xred

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies Security services

    Modifies the startup behavior of a security service.

    defense_evasion

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2