Extracted

• • Target

    JaffaCakes118_71eb71d34bff5b753cbbb70a94a9f21f

  • Size

    736KB

  • MD5

    71eb71d34bff5b753cbbb70a94a9f21f

  • SHA1

    739c45f699a61c35af33bd2185c1a235e39ffe84

  • SHA256

    14b5b5b795998d35a0d7fdbec17264d677ccbe42ca0f0012ddea0b89c581998c

  • SHA512

    700cd3f5684fcde394f17bd03e7490d3fea78177bf4bad1ef4a27d5d767991b82d54b9b803e736785e339d117328cd098cb011349a7075430c0f51959bee6dc0

  • SSDEEP

    12288:3oVzigVCwDn2Ut+Vcoyh/XKnMwnr6xJCiPAJrxyQPuoxMgUKMeO1MBMuSau:4V/Jdt+WLcPnuifZ1UKpX

  Score

  10^/10

  xtremeratdiscoverypersistenceratspyware

  • Detect XtremeRAT payload

  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat

  • Xtremerat family

    xtremerat

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2