xtremerat | 90c73004a698704f7252c3f941323425610a49bf909f4ee3f1579897ac2ab474

General

Target

f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe
Size

61KB
MD5

f7c8fb3e941672208832623c00042d67
SHA1

1c24bdae294e044dff767256e180e000e78feef9
SHA256

90c73004a698704f7252c3f941323425610a49bf909f4ee3f1579897ac2ab474
SHA512

ac430bee2e37b66f6f1e31655350f33198af26fa96563a50490a1cc7cd825bfc3e764e4e72d6634d8099cb981bf9f0050663f5ff47e620d89ef3b6a4591779f3
SSDEEP

1536:OqMxCxZyzT81Rap5R8mkPWO79RPbovi036E:ONxCbB1RapHDdq9hW6E

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

C2

mimmo86.no-ip.org

Signatures

Detect XtremeRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3024-5-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/3024-6-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/2136-9-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/3024-10-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/2136-11-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3024-2-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/3024-4-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/3024-5-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/3024-6-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2136-9-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/3024-10-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2136-11-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe

description	pid	process	target process
PID 2240 set thread context of 3024	2240	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe

pid process

2240 f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe

pid	process
2240	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

f7c8fb3e941672208832623c00042d67_JaffaCakes118.exef7c8fb3e941672208832623c00042d67_JaffaCakes118.exe

description	pid	process	target process
PID 2240 wrote to memory of 3024	2240	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe
PID 2240 wrote to memory of 3024	2240	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe
PID 2240 wrote to memory of 3024	2240	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe
PID 2240 wrote to memory of 3024	2240	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe
PID 2240 wrote to memory of 3024	2240	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe
PID 2240 wrote to memory of 3024	2240	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe
PID 2240 wrote to memory of 3024	2240	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe
PID 2240 wrote to memory of 3024	2240	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe
PID 2240 wrote to memory of 3024	2240	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe
PID 3024 wrote to memory of 2136	3024	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe	svchost.exe
PID 3024 wrote to memory of 2136	3024	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe	svchost.exe
PID 3024 wrote to memory of 2136	3024	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe	svchost.exe
PID 3024 wrote to memory of 2136	3024	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe	svchost.exe
PID 3024 wrote to memory of 2136	3024	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe	svchost.exe
PID 3024 wrote to memory of 2976	3024	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe	iexplore.exe
PID 3024 wrote to memory of 2976	3024	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe	iexplore.exe
PID 3024 wrote to memory of 2976	3024	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe	iexplore.exe
PID 3024 wrote to memory of 2976	3024	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe	iexplore.exe
PID 3024 wrote to memory of 2976	3024	f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Local\Temp\f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f7c8fb3e941672208832623c00042d67_JaffaCakes118.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2136

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2976

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2136-7-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2136-9-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2136-11-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3024-2-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3024-4-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3024-5-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3024-6-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3024-10-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads