General
-
Target
2a3235be02c304d4afd8bbf6a8da073a_JaffaCakes118
-
Size
1.2MB
-
Sample
240707-3m4nwatgrb
-
MD5
2a3235be02c304d4afd8bbf6a8da073a
-
SHA1
bd9e61b993a728719655a609b9de31fa584c6d0b
-
SHA256
888f0ba3aa1c2c9aee5f2f73dcf4029e6e5791cc0b1de70d52de2f4dbfd93bd4
-
SHA512
8213e6d3ddd89a84e5a3440329e6dc1a7c47e1af07797cbbec0ac634574b03fcab17f79becc5305d951c10e8c1107d740a9f2e71d76c58fdbc6c681b018a5ab8
-
SSDEEP
24576:BgD12sxIQ28zR4JyJ4pOlmtO/YG1KNhHIYZmO/4Jwp:BOyF8N4gupGmtArKNhVZF/Cwp
Static task
static1
Behavioral task
behavioral1
Sample
2a3235be02c304d4afd8bbf6a8da073a_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
2a3235be02c304d4afd8bbf6a8da073a_JaffaCakes118.exe
Resource
win10v2004-20240704-en
Malware Config
Extracted
xtremerat
bykanunsuzboy.no-ip.biz
Targets
-
-
Target
2a3235be02c304d4afd8bbf6a8da073a_JaffaCakes118
-
Size
1.2MB
-
MD5
2a3235be02c304d4afd8bbf6a8da073a
-
SHA1
bd9e61b993a728719655a609b9de31fa584c6d0b
-
SHA256
888f0ba3aa1c2c9aee5f2f73dcf4029e6e5791cc0b1de70d52de2f4dbfd93bd4
-
SHA512
8213e6d3ddd89a84e5a3440329e6dc1a7c47e1af07797cbbec0ac634574b03fcab17f79becc5305d951c10e8c1107d740a9f2e71d76c58fdbc6c681b018a5ab8
-
SSDEEP
24576:BgD12sxIQ28zR4JyJ4pOlmtO/YG1KNhHIYZmO/4Jwp:BOyF8N4gupGmtArKNhVZF/Cwp
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-