xtremerat | d5f343c90024ae4e5e427b813ab4cb009d12f5bc3d2ff33990418b0bfa76022d

General

Target

f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe
Size

376KB
MD5

f05a02ef611cc0db1a64bb859a069497
SHA1

6f873621db30814be163f4ae3ddf2d71cb8fb2fa
SHA256

d5f343c90024ae4e5e427b813ab4cb009d12f5bc3d2ff33990418b0bfa76022d
SHA512

baa22020e303ab74c737e37c896ef518aecbe8658f120994898ae60912ce8e6dda4ba0d340c97aa4c587fde81a0b4e8f58fbf0f6ed36015dcd45208710892563
SSDEEP

6144:l1db49+rEg024fpLZazEjvE/rbay19tSt4bO2BaDmeBJe59aI3yN5gyNA4:ljkArEN249AyE/rbaMct4bO2/VJyYyz

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

C2

123vivalgerie.no-ip.biz

ƶallgeriaa.zapto.org

getdesktoppreviewinfo|130mahdidi.zapto.org

ƶ123vivalgerie.no-ip.biz

Signatures

Detect XtremeRAT payload 8 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\00.exe	family_xtremerat
\Users\Admin\AppData\Local\Temp\0.exe	family_xtremerat
behavioral1/memory/2692-30-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2696-31-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2556-33-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2700-32-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2696-34-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2692-35-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Executes dropped EXE 2 IoCs

Processes:

00.exe0.exe

pid process

2556 00.exe
2700 0.exe

pid	process
2556	00.exe
2700	0.exe

Loads dropped DLL 4 IoCs

Processes:

f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe

pid	process
2228	f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe
2228	f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe
2228	f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe
2228	f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2228-0-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2228-25-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2228-25-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe0.exe00.exe

description	pid	process	target process
PID 2228 wrote to memory of 2556	2228	f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe	00.exe
PID 2228 wrote to memory of 2556	2228	f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe	00.exe
PID 2228 wrote to memory of 2556	2228	f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe	00.exe
PID 2228 wrote to memory of 2556	2228	f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe	00.exe
PID 2228 wrote to memory of 2700	2228	f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe	0.exe
PID 2228 wrote to memory of 2700	2228	f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe	0.exe
PID 2228 wrote to memory of 2700	2228	f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe	0.exe
PID 2228 wrote to memory of 2700	2228	f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe	0.exe
PID 2700 wrote to memory of 2696	2700	0.exe	svchost.exe
PID 2700 wrote to memory of 2696	2700	0.exe	svchost.exe
PID 2700 wrote to memory of 2696	2700	0.exe	svchost.exe
PID 2700 wrote to memory of 2696	2700	0.exe	svchost.exe
PID 2556 wrote to memory of 2692	2556	00.exe	svchost.exe
PID 2556 wrote to memory of 2692	2556	00.exe	svchost.exe
PID 2556 wrote to memory of 2692	2556	00.exe	svchost.exe
PID 2556 wrote to memory of 2692	2556	00.exe	svchost.exe
PID 2556 wrote to memory of 2692	2556	00.exe	svchost.exe
PID 2700 wrote to memory of 2696	2700	0.exe	svchost.exe
PID 2556 wrote to memory of 2796	2556	00.exe	iexplore.exe
PID 2556 wrote to memory of 2796	2556	00.exe	iexplore.exe
PID 2556 wrote to memory of 2796	2556	00.exe	iexplore.exe
PID 2556 wrote to memory of 2796	2556	00.exe	iexplore.exe
PID 2700 wrote to memory of 2688	2700	0.exe	iexplore.exe
PID 2700 wrote to memory of 2688	2700	0.exe	iexplore.exe
PID 2700 wrote to memory of 2688	2700	0.exe	iexplore.exe
PID 2700 wrote to memory of 2688	2700	0.exe	iexplore.exe
PID 2700 wrote to memory of 2688	2700	0.exe	iexplore.exe
PID 2556 wrote to memory of 2796	2556	00.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228

C:\Users\Admin\AppData\Local\Temp\00.exe
C:\Users\Admin\AppData\Local\Temp/00.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2692

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\0.exe
C:\Users\Admin\AppData\Local\Temp/0.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2696

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2688

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\0.exe
Filesize
65KB

MD5
5a98f8f5e1b03fefb69bee161ff8bad7

SHA1
5fd4fa720f4cabf4f2052b8852913588e89c7620

SHA256
6d69b703f18dfbe14729b1e64fa027a1d7d86020308749c7722ea33326503536

SHA512
ca4e4c0c280b0e28ba0440272fb0f535c5935c4f53751c68d1cbb727c37c6d680a84a8c7e6369178e39ddc998c8398f0debb25c7fa6246c0d59df8b44189cd6d

Download Submit
\Users\Admin\AppData\Local\Temp\00.exe
Filesize
65KB

MD5
3e44cbf60321d5e8a6f6e93071d472fc

SHA1
265824f327c150c58463c2785573741cbb272108

SHA256
930013f511bfe51d64e6f4d9f505ad39d7aa5b5c3b6d51659b53da2e9ce13d6e

SHA512
aac31e49023e6e785516e9114146dceb17167c6b65cd4d0bdf77825872eea7a761b7f065007d536a198ba8766e938a528c0966189af979a66ccdb38a7f42547c

Download Submit
memory/2228-0-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2228-25-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2556-33-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2692-30-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2692-35-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2696-26-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2696-31-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2696-34-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2700-32-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads