xtremerat | a9cc4ca3b78665931129982e8af945672473900a231424fc7baef00b7111a647

General

Target

ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe
Size

384KB
MD5

ff39360d929cf960632b847ab1f0132f
SHA1

53276d8af6896b362da912389b4826e40effa97b
SHA256

a9cc4ca3b78665931129982e8af945672473900a231424fc7baef00b7111a647
SHA512

0151f923935185c0a4dd195a54548fd95dc749f5bcd4144cf561ebdabb730a147854de8dcc2bcdaaf9bdc681ff8f33e0cd92b0c81c0b5854064f265cc8afb5e9
SSDEEP

3072:efKFiKjJqh1DNow0LdEWec9LbYLSvuR4R83v0fEomS:0NovLTec9LbYLSvuR4R8f0fEo

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Extracted

Family

xtremerat

C2

far3on.zapto.org

Signatures

Detect XtremeRAT payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1996-2-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1996-3-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1996-4-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1996-5-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/2168-8-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1996-9-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/2168-10-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Suspicious use of SetThreadContext 1 IoCs

Processes:

ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe

description	pid	process	target process
PID 1652 set thread context of 1996	1652	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe

pid process

1652 ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe

pid	process
1652	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exeff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe

description	pid	process	target process
PID 1652 wrote to memory of 1996	1652	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe
PID 1652 wrote to memory of 1996	1652	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe
PID 1652 wrote to memory of 1996	1652	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe
PID 1652 wrote to memory of 1996	1652	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe
PID 1652 wrote to memory of 1996	1652	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe
PID 1652 wrote to memory of 1996	1652	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe
PID 1652 wrote to memory of 1996	1652	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe
PID 1652 wrote to memory of 1996	1652	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe
PID 1652 wrote to memory of 1996	1652	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe
PID 1652 wrote to memory of 1996	1652	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe
PID 1652 wrote to memory of 1996	1652	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe
PID 1652 wrote to memory of 1996	1652	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe
PID 1652 wrote to memory of 1996	1652	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe
PID 1652 wrote to memory of 1996	1652	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe
PID 1996 wrote to memory of 2168	1996	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	svchost.exe
PID 1996 wrote to memory of 2168	1996	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	svchost.exe
PID 1996 wrote to memory of 2168	1996	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	svchost.exe
PID 1996 wrote to memory of 2168	1996	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	svchost.exe
PID 1996 wrote to memory of 2168	1996	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	svchost.exe
PID 1996 wrote to memory of 2732	1996	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	iexplore.exe
PID 1996 wrote to memory of 2732	1996	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	iexplore.exe
PID 1996 wrote to memory of 2732	1996	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	iexplore.exe
PID 1996 wrote to memory of 2732	1996	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	iexplore.exe
PID 1996 wrote to memory of 2732	1996	ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff39360d929cf960632b847ab1f0132f_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2168

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2732

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1996-2-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1996-3-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1996-4-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1996-5-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1996-9-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2168-6-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2168-8-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2168-10-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads