xtremerat | 40fda4ca6342e7bff03b1a55cf1414b9099b86a4beab4a65eedfdc98103c388d

General

Target

ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe
Size

344KB
MD5

ea5b81ef79adb077ed832aae119fb0be
SHA1

85078dda8bfe43db70d3cc85fb877a1fa5132f33
SHA256

40fda4ca6342e7bff03b1a55cf1414b9099b86a4beab4a65eedfdc98103c388d
SHA512

4a7783ffd50a669cc58b4b9d518648f8e4bfdb6399b555b231a5f0695c7d69aaad4b6ee28878e63e204d26a86818429b6d98647fa52586b87c3d18b180caf92d
SSDEEP

6144:SNW7mvIZNC7rGN3bkty0Mki8787O71rkhJSammcmZq:QW7SIa7rGNrkty0fkhAlmvq

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1748-24-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/5060-25-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/1748-26-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

server.exestub.exe

pid process

5060 server.exe
3092 stub.exe

pid	process
5060	server.exe
3092	stub.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\server.exe	upx
behavioral2/memory/5060-12-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1748-24-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/5060-25-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1748-26-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2788 1748 WerFault.exe svchost.exe
2684 1748 WerFault.exe svchost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exestub.exe

pid process

3752 ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe
3092 stub.exe

pid	pid_target	process	target process
2788	1748	WerFault.exe	svchost.exe
2684	1748	WerFault.exe	svchost.exe

pid	process
3752	ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe
3092	stub.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exeserver.exe

description	pid	process	target process
PID 3752 wrote to memory of 5060	3752	ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe	server.exe
PID 3752 wrote to memory of 5060	3752	ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe	server.exe
PID 3752 wrote to memory of 5060	3752	ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe	server.exe
PID 3752 wrote to memory of 3092	3752	ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe	stub.exe
PID 3752 wrote to memory of 3092	3752	ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe	stub.exe
PID 3752 wrote to memory of 3092	3752	ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe	stub.exe
PID 5060 wrote to memory of 1748	5060	server.exe	svchost.exe
PID 5060 wrote to memory of 1748	5060	server.exe	svchost.exe
PID 5060 wrote to memory of 1748	5060	server.exe	svchost.exe
PID 5060 wrote to memory of 1748	5060	server.exe	svchost.exe
PID 5060 wrote to memory of 468	5060	server.exe	msedge.exe
PID 5060 wrote to memory of 468	5060	server.exe	msedge.exe
PID 5060 wrote to memory of 468	5060	server.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea5b81ef79adb077ed832aae119fb0be_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3752

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe" 0
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 480
4⤵
- Program crash
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 488
4⤵
- Program crash
PID:2684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:468

C:\Users\Admin\AppData\Local\Temp\stub.exe
"C:\Users\Admin\AppData\Local\Temp\stub.exe" 0
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1748 -ip 1748
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1748 -ip 1748
1⤵
PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3988 --field-trial-handle=2256,i,5035714022000286426,16259316383734940314,262144 --variations-seed-version /prefetch:8
1⤵
PID:3216

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
33KB

MD5
6ba9aeea2cfc136a045b3b4c291e85b5

SHA1
7d38a526512bb3bbf92225c25702753e6eaacecd

SHA256
161a15b89f83419c96cb73f83176e6845b51a682e3a39592639950880e35bca9

SHA512
c0d3bba772ab70a4491701b833fc151c79987a540e928b9d21e166a2029f73800d4a54e7bd533d17999b7fa3022c1fc064a63b1cbc56103a7278f492dca93f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\stub.exe
Filesize
300KB

MD5
8a45fe85898666c75dc0ce2fd878d340

SHA1
8346d03c553a85c5046a154123adb1af454e3717

SHA256
47a6e501e51c466d43bb7638de421b4c30b80e24cdfeeedafab82b06ba41534a

SHA512
0941c2c170ce2a1991f301caad8a237cd67f5df972718acfe7b7b6c0beb5be0ba7bc817d21405b0981d90993aa6e725d4b4f76ac54686e47e299cf6fc396a1bb

Download Submit
memory/1748-24-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1748-26-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/5060-12-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/5060-25-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads