Extracted

• • Target

    JaffaCakes118_85cae56344e697cbdb0393f569798f07

  • Size

    634KB

  • MD5

    85cae56344e697cbdb0393f569798f07

  • SHA1

    8e34b78372a5c8bfd2fe24805d2e9b1218872a1d

  • SHA256

    29c055bbdbe31be2d61dce05661803de15582688ec63f4498c059f18fbbd8c9e

  • SHA512

    fcdf1b6cd7263aabcfd3766c9c7b6d026e6a7a8734d14fedff0fffd628efe8c62c531bbbdc098b296a58e2754041eefd96f64e1adc00e3fb9e2fb6fe1e7b7d5d

  • SSDEEP

    12288:EUao7YNQdGmLPxez8dFlZqBENN3ZcWb0lvIff/eh+gK/gOC:EU7wQgZz+8OXpc1y6+Xz

  Score

  10^/10

  xtremeratdiscoverypersistenceratspyware

  • Detect XtremeRAT payload

  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat

  • Xtremerat family

    xtremerat

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Adds Run key to start application

    persistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2