Extracted

• • Target

    JaffaCakes118_8d9e8fa31ff868db83ed7cf43206cbbb

  • Size

    252KB

  • MD5

    8d9e8fa31ff868db83ed7cf43206cbbb

  • SHA1

    630a5a4de15e98cd260d6ef2fc95e308a66967e5

  • SHA256

    ca86c8fd7e09ef77774e848691969192ed0c595b8fd603e76b68971b2a362205

  • SHA512

    ef0ee64d9646ac5edbbd31b57c1898888e5b9aae054a5fc18e511ec43a89e7996a011e5044a615b340a5f784ae7bbbcdc2cfa7d3145eb10cf81641b8fc5c778b

  • SSDEEP

    6144:aEYZeuS2ZzHo7pygJxhIDb8I2LIqUMP77xmokRSfx8h+:ceuS0ypyEhI38IUIaBmo+SZ8Y

  Score

  10^/10

  xtremeratdiscoverypersistenceratspywareupx

  • Detect XtremeRAT payload

  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat

  • Xtremerat family

    xtremerat

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2