xtremerat | 639da9d81d90ad0f9df315c09acbf09c87150ea78a284d944d2f0ab990771f39

General

Target

fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe
Size

51KB
MD5

fa98f299330d2ca94971f373eace4d7c
SHA1

9d75b7eb3bd1d68788ad9b3c5952e3e9b7eadfb1
SHA256

639da9d81d90ad0f9df315c09acbf09c87150ea78a284d944d2f0ab990771f39
SHA512

d295c2a0bd2f767696b851818cfdfd69cb182fbe802952e17dd5d48bfe8acaaac87b4e37e8121696cf1f61ad5a520d8e5c16708883fe42041a06fc9024b3a667
SSDEEP

1536:p5QAEeWPJ3okPGZAZKF/O3uKSYk9Wa9oFqxbWX:pKAEeUJlGCeK6WwoFqxCX

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

C2

roin.no-ip.biz

Signatures

Detect XtremeRAT payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2992-6-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/1988-10-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2992-11-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/1988-12-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2992-2-0x0000000010000000-0x0000000010048000-memory.dmp	upx
behavioral1/memory/2852-4-0x00000000006F0000-0x0000000000730000-memory.dmp	upx
behavioral1/memory/2992-5-0x0000000010000000-0x0000000010048000-memory.dmp	upx
behavioral1/memory/2992-6-0x0000000010000000-0x0000000010048000-memory.dmp	upx
behavioral1/memory/1988-10-0x0000000010000000-0x0000000010048000-memory.dmp	upx
behavioral1/memory/2992-11-0x0000000010000000-0x0000000010048000-memory.dmp	upx
behavioral1/memory/1988-12-0x0000000010000000-0x0000000010048000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe

description	pid	process	target process
PID 2852 set thread context of 2992	2852	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2852 fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2852	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exefa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe

description	pid	process	target process
PID 2852 wrote to memory of 2992	2852	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe
PID 2852 wrote to memory of 2992	2852	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe
PID 2852 wrote to memory of 2992	2852	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe
PID 2852 wrote to memory of 2992	2852	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe
PID 2852 wrote to memory of 2992	2852	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe
PID 2852 wrote to memory of 2992	2852	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe
PID 2852 wrote to memory of 2992	2852	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe
PID 2852 wrote to memory of 2992	2852	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe
PID 2852 wrote to memory of 2992	2852	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe
PID 2992 wrote to memory of 1988	2992	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe	svchost.exe
PID 2992 wrote to memory of 1988	2992	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe	svchost.exe
PID 2992 wrote to memory of 1988	2992	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe	svchost.exe
PID 2992 wrote to memory of 1988	2992	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe	svchost.exe
PID 2992 wrote to memory of 1988	2992	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe	svchost.exe
PID 2992 wrote to memory of 2500	2992	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe	iexplore.exe
PID 2992 wrote to memory of 2500	2992	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe	iexplore.exe
PID 2992 wrote to memory of 2500	2992	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe	iexplore.exe
PID 2992 wrote to memory of 2500	2992	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe	iexplore.exe
PID 2992 wrote to memory of 2500	2992	fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852

C:\Users\Admin\AppData\Local\Temp\fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa98f299330d2ca94971f373eace4d7c_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2500

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1988-8-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/1988-10-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/1988-12-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2852-0-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2852-1-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2852-4-0x00000000006F0000-0x0000000000730000-memory.dmp

Filesize
256KB

Download
memory/2852-7-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2992-2-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2992-5-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2992-6-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2992-11-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads