General
-
Target
JaffaCakes118_d05a766f0c01c814f1d5db0f73a84969
-
Size
46KB
-
Sample
250209-ryk55atqen
-
MD5
d05a766f0c01c814f1d5db0f73a84969
-
SHA1
39a9aebc404cb3a2641e9f0cd72e604270bf9121
-
SHA256
3c1a656478c74f7ab09a0f936f0c439b9523ab59129c13660f229e2dee3c2f97
-
SHA512
5d118ab23548cb73b3b2035febed45fa8b9c00e597dda96edcd0e81e308e3dab05515a4ed85968a372218d6987b9a49dba85714029ced745dca68dea78c90e43
-
SSDEEP
768:7NBUivjt0N5Rh3jAmcZ9C9WchwbJrfvifwKx3S/90j9ZWEGU5rPgWY:7NmajyNh8mWs9WcA1vR8C/9pU57fY
Malware Config
Targets
-
-
Target
JaffaCakes118_d05a766f0c01c814f1d5db0f73a84969
-
Size
46KB
-
MD5
d05a766f0c01c814f1d5db0f73a84969
-
SHA1
39a9aebc404cb3a2641e9f0cd72e604270bf9121
-
SHA256
3c1a656478c74f7ab09a0f936f0c439b9523ab59129c13660f229e2dee3c2f97
-
SHA512
5d118ab23548cb73b3b2035febed45fa8b9c00e597dda96edcd0e81e308e3dab05515a4ed85968a372218d6987b9a49dba85714029ced745dca68dea78c90e43
-
SSDEEP
768:7NBUivjt0N5Rh3jAmcZ9C9WchwbJrfvifwKx3S/90j9ZWEGU5rPgWY:7NmajyNh8mWs9WcA1vR8C/9pU57fY
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1