xtremerat | cfc294b7ca1e9e23484e5466bb2672da84f609ab0ee6450160b4084f960030cb | Triage

Submit
Reports

Overview

overview

Static

static

3

JaffaCakes...33.exe

windows7-x64

JaffaCakes...33.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_7737022fd54af45023bb81dcf0a27b33
Size

220KB
Sample

250104-dge1wszndn
MD5

7737022fd54af45023bb81dcf0a27b33
SHA1

8be008b1e685a2007f793bcee2f2d4d17a025461
SHA256

cfc294b7ca1e9e23484e5466bb2672da84f609ab0ee6450160b4084f960030cb
SHA512

cd9bd3bbebe889d5ee1eb36ed0a8f16f1cae1caa29a3715dd8e88d96c0c04880a1015700f6ab51d03ddb0607f548dc6fb33af614edfaa2269d9ff1f06ab9a8cc
SSDEEP

3072:QrK8QOnOKaPI56wVppeppl0hs6m9CdGZ:QrK8zGkm9Cc

Score

10^/10

xtremerat discovery persistence rat spyware

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_7737022fd54af45023bb81dcf0a27b33.exe

Resource

win7-20240903-en

xtremerat discovery persistence rat spyware

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_7737022fd54af45023bb81dcf0a27b33.exe

Resource

win10v2004-20241007-en

xtremerat discovery persistence rat spyware

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  JaffaCakes118_7737022fd54af45023bb81dcf0a27b33
- Size
  
  220KB
- MD5
  
  7737022fd54af45023bb81dcf0a27b33
- SHA1
  
  8be008b1e685a2007f793bcee2f2d4d17a025461
- SHA256
  
  cfc294b7ca1e9e23484e5466bb2672da84f609ab0ee6450160b4084f960030cb
- SHA512
  
  cd9bd3bbebe889d5ee1eb36ed0a8f16f1cae1caa29a3715dd8e88d96c0c04880a1015700f6ab51d03ddb0607f548dc6fb33af614edfaa2269d9ff1f06ab9a8cc
- SSDEEP
  
  3072:QrK8QOnOKaPI56wVppeppl0hs6m9CdGZ:QrK8zGkm9Cc
Score

10^/10

xtremerat discovery persistence rat spyware
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Xtremerat family
  xtremerat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xtremeratdiscoverypersistenceratspyware

behavioral2

xtremeratdiscoverypersistenceratspyware

© 2018-2025

Terms | Privacy