xtremerat | f96995899d4bc1ee309064480316a0add0e089e708e2d0c99645f08518eabdd1

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
15-04-2024 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0dfc3c1267ab4e9694e00b16fdb647d_JaffaCakes118.exe
Size

449KB
MD5

f0dfc3c1267ab4e9694e00b16fdb647d
SHA1

44812282bd1228a4b659d300815749a567169572
SHA256

f96995899d4bc1ee309064480316a0add0e089e708e2d0c99645f08518eabdd1
SHA512

1cc704e9fde7b0f4ac49f190b202ed86c53fad7ee9a61c6e7fae11a8962ade6961a5b653d9c36c239418bd181eed52ba666ca6b87b58b38cf29b885200ae446d
SSDEEP

6144:TXQAYzJMEExuJrc/vIU0SSM627FAAVBZLjJoxGq6IE2gXDD02L2jsraaHl/pqlmJ:TXQAaSuJQnIu0AVjFYGq6sd2J7qllVDw

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Signatures

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Executes dropped EXE 2 IoCs

Processes:

r.exer.exe

pid process

1012 r.exe
872 r.exe
Loads dropped DLL 2 IoCs

Processes:

f0dfc3c1267ab4e9694e00b16fdb647d_JaffaCakes118.exer.exe

pid process

2380 f0dfc3c1267ab4e9694e00b16fdb647d_JaffaCakes118.exe
1012 r.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

r.exe

description pid process target process

PID 1012 set thread context of 872 1012 r.exe r.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1012	r.exe
872	r.exe

pid	process
2380	f0dfc3c1267ab4e9694e00b16fdb647d_JaffaCakes118.exe
1012	r.exe

description	pid	process	target process
PID 1012 set thread context of 872	1012	r.exe	r.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

f0dfc3c1267ab4e9694e00b16fdb647d_JaffaCakes118.exer.exe

description	pid	process
Token: 33	2380	f0dfc3c1267ab4e9694e00b16fdb647d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2380	f0dfc3c1267ab4e9694e00b16fdb647d_JaffaCakes118.exe
Token: 33	2380	f0dfc3c1267ab4e9694e00b16fdb647d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2380	f0dfc3c1267ab4e9694e00b16fdb647d_JaffaCakes118.exe
Token: 33	2380	f0dfc3c1267ab4e9694e00b16fdb647d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2380	f0dfc3c1267ab4e9694e00b16fdb647d_JaffaCakes118.exe
Token: 33	2380	f0dfc3c1267ab4e9694e00b16fdb647d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2380	f0dfc3c1267ab4e9694e00b16fdb647d_JaffaCakes118.exe
Token: 33	1012	r.exe
Token: SeIncBasePriorityPrivilege	1012	r.exe
Token: 33	1012	r.exe
Token: SeIncBasePriorityPrivilege	1012	r.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

r.exe

pid process

1012 r.exe

pid	process
1012	r.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

f0dfc3c1267ab4e9694e00b16fdb647d_JaffaCakes118.exer.exer.exe

description	pid	process	target process
PID 2380 wrote to memory of 1012	2380	f0dfc3c1267ab4e9694e00b16fdb647d_JaffaCakes118.exe	r.exe
PID 2380 wrote to memory of 1012	2380	f0dfc3c1267ab4e9694e00b16fdb647d_JaffaCakes118.exe	r.exe
PID 2380 wrote to memory of 1012	2380	f0dfc3c1267ab4e9694e00b16fdb647d_JaffaCakes118.exe	r.exe
PID 2380 wrote to memory of 1012	2380	f0dfc3c1267ab4e9694e00b16fdb647d_JaffaCakes118.exe	r.exe
PID 1012 wrote to memory of 872	1012	r.exe	r.exe
PID 1012 wrote to memory of 872	1012	r.exe	r.exe
PID 1012 wrote to memory of 872	1012	r.exe	r.exe
PID 1012 wrote to memory of 872	1012	r.exe	r.exe
PID 1012 wrote to memory of 872	1012	r.exe	r.exe
PID 1012 wrote to memory of 872	1012	r.exe	r.exe
PID 1012 wrote to memory of 872	1012	r.exe	r.exe
PID 1012 wrote to memory of 872	1012	r.exe	r.exe
PID 1012 wrote to memory of 872	1012	r.exe	r.exe
PID 1012 wrote to memory of 872	1012	r.exe	r.exe
PID 1012 wrote to memory of 872	1012	r.exe	r.exe
PID 1012 wrote to memory of 872	1012	r.exe	r.exe
PID 1012 wrote to memory of 872	1012	r.exe	r.exe
PID 1012 wrote to memory of 872	1012	r.exe	r.exe
PID 872 wrote to memory of 884	872	r.exe	svchost.exe
PID 872 wrote to memory of 884	872	r.exe	svchost.exe
PID 872 wrote to memory of 884	872	r.exe	svchost.exe
PID 872 wrote to memory of 884	872	r.exe	svchost.exe
PID 872 wrote to memory of 884	872	r.exe	svchost.exe
PID 872 wrote to memory of 2260	872	r.exe	iexplore.exe
PID 872 wrote to memory of 2260	872	r.exe	iexplore.exe
PID 872 wrote to memory of 2260	872	r.exe	iexplore.exe
PID 872 wrote to memory of 2260	872	r.exe	iexplore.exe
PID 872 wrote to memory of 2260	872	r.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\f0dfc3c1267ab4e9694e00b16fdb647d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0dfc3c1267ab4e9694e00b16fdb647d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\K5\10.04.0040\1433.01.12T16.49\Virtual\STUBEXE\@APPDATALOCAL@\Temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\r.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1012

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\K5\10.04.0040\1433.01.12T16.49\Virtual\STUBEXE\@APPDATALOCAL@\Temp\r.exe
C:\Users\Admin\AppData\Local\Temp\r.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2260

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\K5\10.04.0040\1433.01.12T16.49\Virtual\STUBEXE\@APPDATALOCAL@\Temp\r.exe
Filesize
17KB

MD5
8c9b4e5ca083a19561ad52fa1e4129f4

SHA1
302d8071a1cc7cc3331d26acc695a5f0fa1238ff

SHA256
2149255b650905ce4581323fb85a7c2d0e8880a117d37b3b267dc7b3a5cae225

SHA512
949bdd8ebe891d7738bc58917a4c29a84a4451c7d6b6c110923c18f2d96a5ffe003041378652032d371f760486ab733dd9c6b07a986d84060d6f1ea495e462a8

Download Submit
memory/1012-364-0x00000000004D0000-0x000000000053C000-memory.dmp

Filesize
432KB

Download
memory/1012-368-0x00000000004D0000-0x000000000053C000-memory.dmp

Filesize
432KB

Download
memory/1012-370-0x00000000004D0000-0x000000000053C000-memory.dmp

Filesize
432KB

Download
memory/1012-374-0x00000000004D0000-0x000000000053C000-memory.dmp

Filesize
432KB

Download
memory/1012-387-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/1012-384-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/1012-382-0x00000000004D0000-0x000000000053C000-memory.dmp

Filesize
432KB

Download
memory/1012-378-0x00000000004D0000-0x000000000053C000-memory.dmp

Filesize
432KB

Download
memory/1012-375-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-76-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-72-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-29-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-27-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-23-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-17-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-16-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-11-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-9-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-8-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-6-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-2-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-32-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-35-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-37-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-126-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-46-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-44-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-42-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-40-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-48-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-50-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-57-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-60-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-59-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-55-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-62-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-53-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-64-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-67-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-65-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-70-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-124-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-74-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-25-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-81-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-84-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-107-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-122-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-121-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-79-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-31-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-39-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-128-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-130-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-77-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-132-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-134-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-136-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-138-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-140-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-142-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-145-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-69-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-163-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-187-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-186-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-189-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-162-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-208-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-210-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-212-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-227-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-226-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-229-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-240-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-241-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-243-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-245-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-250-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-254-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-265-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-302-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-21-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-19-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/2380-13-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-4-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-1-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-338-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-360-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2380-366-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download