xtremerat | ef982d3d8cf7b1ab0c10a6ded5b5eefe3935abfdc5118761f1412b01bace7aad

General

Target

043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe
Size

45KB
MD5

043f13448fd09a6280b0583c5a9df36c
SHA1

8edce3d25bd93882673410bb57f0fefb782d1021
SHA256

ef982d3d8cf7b1ab0c10a6ded5b5eefe3935abfdc5118761f1412b01bace7aad
SHA512

5d79edaf71702cefaed1f7718d79ea58e3c35c8abb1322c5ee08b761ef92da7077f9271372248a19b18945c479a22b6bc20ad7d69514a7936338325450178dd0
SSDEEP

768:PBr+tjFY90iY6W1jwmDzKgEFQXaklMIAn0tYCpPZzoKQ:ZyRh31jxPEFQXak+05poKQ

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2148-5-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1948-6-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2148-8-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C4O8O7U-AS43-WHBO-370S-1VL8U6U75RBW}	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C4O8O7U-AS43-WHBO-370S-1VL8U6U75RBW}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

Processes:

043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\InstallDir\Server.exe	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe
File created	C:\Windows\InstallDir\Server.exe	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

2148 explorer.exe

pid	process
2148	explorer.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe

description	pid	process	target process
PID 1948 wrote to memory of 1844	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	iexplore.exe
PID 1948 wrote to memory of 1844	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	iexplore.exe
PID 1948 wrote to memory of 1844	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	iexplore.exe
PID 1948 wrote to memory of 1844	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	iexplore.exe
PID 1948 wrote to memory of 1248	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	explorer.exe
PID 1948 wrote to memory of 1248	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	explorer.exe
PID 1948 wrote to memory of 1248	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	explorer.exe
PID 1948 wrote to memory of 1248	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	explorer.exe
PID 1948 wrote to memory of 2564	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	iexplore.exe
PID 1948 wrote to memory of 2564	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	iexplore.exe
PID 1948 wrote to memory of 2564	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	iexplore.exe
PID 1948 wrote to memory of 2564	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	iexplore.exe
PID 1948 wrote to memory of 3008	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	explorer.exe
PID 1948 wrote to memory of 3008	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	explorer.exe
PID 1948 wrote to memory of 3008	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	explorer.exe
PID 1948 wrote to memory of 3008	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	explorer.exe
PID 1948 wrote to memory of 2476	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	iexplore.exe
PID 1948 wrote to memory of 2476	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	iexplore.exe
PID 1948 wrote to memory of 2476	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	iexplore.exe
PID 1948 wrote to memory of 2476	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	iexplore.exe
PID 1948 wrote to memory of 2148	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	explorer.exe
PID 1948 wrote to memory of 2148	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	explorer.exe
PID 1948 wrote to memory of 2148	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	explorer.exe
PID 1948 wrote to memory of 2148	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	explorer.exe
PID 1948 wrote to memory of 2148	1948	043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\043f13448fd09a6280b0583c5a9df36c_JaffaCakes118.exe"
1⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:1844

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:1248

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2564

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:3008

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:2476

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:2148

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1948-6-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2148-3-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2148-5-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2148-8-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads