Extracted

• • Target

    JaffaCakes118_35368b8ab1e1b01582ab67c45ecda042

  • Size

    113KB

  • MD5

    35368b8ab1e1b01582ab67c45ecda042

  • SHA1

    626ac90e59d87a8a45666d999e1212bb72f51f11

  • SHA256

    5c411aa97bb3ddfb1006204996eeb80898c8d6f0b15a2c516c65483dbdd2ea13

  • SHA512

    31c35f31953ad922a11238cd8dcbe51d7dc093faff59977c2166d826408c1119ec3fe05d73167f14c86be93847594ad58f4d3b21d9768153a95804d6f82c0319

  • SSDEEP

    1536:fC5p7b0RGwWtTYGUFwMeAur6vcOAFpRJNF+75DUSvHgMpvP5D9xOPcJS7:fIdo8tEMF+ErFnJkUmAMVRccJS7

  Score

  10^/10

  xtremeratdiscoverypersistenceratspyware

  • Detect XtremeRAT payload

  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat

  • Xtremerat family

    xtremerat

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2