General
-
Target
JaffaCakes118_071f397a055b3c9fbd59de1e5520670b
-
Size
88KB
-
Sample
250121-yqx82symct
-
MD5
071f397a055b3c9fbd59de1e5520670b
-
SHA1
09affce67ff7613d87c1b373ec7ff5402048141a
-
SHA256
0104ec1f1abdddfb62e1abeb0beada57b1b46bbcc712723d42e231732e366269
-
SHA512
a0d6b832106310090069a736fca1103d2cd4399be6c0ae046130300b75bb7128684b5f04a31f0b65ee726a696dd673f32776f5ca5165f0ab09918864e5817e47
-
SSDEEP
1536:dK9nQUbYuMezqoqs5c+PMwnaaD8aOxcrPdoK+1IK:CQUbYvoqs5c+PMwaELndor
Malware Config
Targets
-
-
Target
JaffaCakes118_071f397a055b3c9fbd59de1e5520670b
-
Size
88KB
-
MD5
071f397a055b3c9fbd59de1e5520670b
-
SHA1
09affce67ff7613d87c1b373ec7ff5402048141a
-
SHA256
0104ec1f1abdddfb62e1abeb0beada57b1b46bbcc712723d42e231732e366269
-
SHA512
a0d6b832106310090069a736fca1103d2cd4399be6c0ae046130300b75bb7128684b5f04a31f0b65ee726a696dd673f32776f5ca5165f0ab09918864e5817e47
-
SSDEEP
1536:dK9nQUbYuMezqoqs5c+PMwnaaD8aOxcrPdoK+1IK:CQUbYvoqs5c+PMwaELndor
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1