xtremerat | e3a9e90308d7a12bd83ad8d85b746500db04887adc6d1cab0223592ca7a53503 | Triage

Submit
Reports

Overview

overview

Static

static

3

JaffaCakes...00.exe

windows7-x64

JaffaCakes...00.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_c200a046fd4b5e858f71173bc992c400
Size

372KB
Sample

250208-mcvefsyqdz
MD5

c200a046fd4b5e858f71173bc992c400
SHA1

d9c019b9ea5fe8d25f696d759bcbae1ab57b28d7
SHA256

e3a9e90308d7a12bd83ad8d85b746500db04887adc6d1cab0223592ca7a53503
SHA512

63c75179ebe46635a9753695375ebd53d4c84faaa11d6e8bc23af60554ccec4e2d9673d761f313990b73989056dc9b95aca30160c4faa3925c6ce8c6cd0ad381
SSDEEP

6144:rPwurnUZkJGPJxkOCW/CW68QD1Qeme0039q2tIA2ueDf:AxxkVGej91ejDf

Score

10^/10

xtremerat bootkit defense_evasion discovery persistence rat spyware

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_c200a046fd4b5e858f71173bc992c400.exe

Resource

win7-20250207-en

xtremerat bootkit defense_evasion discovery persistence rat spyware

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_c200a046fd4b5e858f71173bc992c400.exe

Resource

win10v2004-20250207-en

xtremerat bootkit defense_evasion discovery persistence rat spyware

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  JaffaCakes118_c200a046fd4b5e858f71173bc992c400
- Size
  
  372KB
- MD5
  
  c200a046fd4b5e858f71173bc992c400
- SHA1
  
  d9c019b9ea5fe8d25f696d759bcbae1ab57b28d7
- SHA256
  
  e3a9e90308d7a12bd83ad8d85b746500db04887adc6d1cab0223592ca7a53503
- SHA512
  
  63c75179ebe46635a9753695375ebd53d4c84faaa11d6e8bc23af60554ccec4e2d9673d761f313990b73989056dc9b95aca30160c4faa3925c6ce8c6cd0ad381
- SSDEEP
  
  6144:rPwurnUZkJGPJxkOCW/CW68QD1Qeme0039q2tIA2ueDf:AxxkVGej91ejDf
Score

10^/10

xtremerat bootkit defense_evasion discovery persistence rat spyware
- Detect XtremeRAT payload
- Modifies firewall policy service
  defense_evasion
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Xtremerat family
  xtremerat
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Pre-OS Boot

Bootkit

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Network Share Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xtremeratbootkitdefense_evasiondiscoverypersistenceratspyware

behavioral2

xtremeratbootkitdefense_evasiondiscoverypersistenceratspyware

© 2018-2025

Terms | Privacy