xtremerat | 740c2f18b582ea1fcb0b92e67797f26ff2153ca6bba7059bf622af49406fec20

General

Target

8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe
Size

205KB
MD5

8d087c1bd01b5abe21fdbaa3ccd47fb5
SHA1

8b1ce8ea035d0c831561e6ee3d59dbca27cf35ec
SHA256

740c2f18b582ea1fcb0b92e67797f26ff2153ca6bba7059bf622af49406fec20
SHA512

72f795f49156dc529a214c94da343b8ea5c8df207fa5a137108636ef9eb051be16e1e24eb5c186af1a7a42230b50ba30205806b9434eb0bbb897f9a1b76150c6
SSDEEP

3072:hlSHsZ4T48Bxyvc9rfHhbfwMHDho85R/grs3+5ozbyUUHCYD2tkP9a+pkEtkP:3hbvc9VfwMHD55x3u5oCUUHCA2OhpkE

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Extracted

Family

xtremerat

C2

systemservices.no-ip.biz

Signatures

Detect XtremeRAT payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1704-5-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/1704-6-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/1704-8-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/1704-10-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/4912-11-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/1452-12-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/1704-13-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/1452-15-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/4912-16-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/1452-17-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

notepad.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1MU53I2Y-1S6I-HB78-0360-5810132VHV3K}	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1MU53I2Y-1S6I-HB78-0360-5810132VHV3K}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system5\\system5.exe restart"	notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

notepad.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system5 = "C:\\Users\\Admin\\AppData\\Roaming\\system5\\system5.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system5 = "C:\\Users\\Admin\\AppData\\Roaming\\system5\\system5.exe"	notepad.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe

description	pid	process	target process
PID 4136 set thread context of 1704	4136	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

Processes:

8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1496	4912	WerFault.exe	svchost.exe
2428	4912	WerFault.exe	svchost.exe
3360	1452	WerFault.exe	notepad.exe
3264	1452	WerFault.exe	notepad.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 4136 8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

notepad.exe

pid process

1452 notepad.exe

description	pid	process
Token: SeDebugPrivilege	4136	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe

pid	process
1452	notepad.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Users\Admin\AppData\Local\Temp\8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:4912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 492
      4⤵
      Program crash
      PID:1496
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 500
      4⤵
      Program crash
      PID:2428
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:1452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 972
      4⤵
      Program crash
      PID:3360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 980
      4⤵
      Program crash
      PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4912 -ip 4912
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1452 -ip 1452
1⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4912 -ip 4912
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1452 -ip 1452
1⤵
PID:4172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1452-12-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1452-17-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1452-15-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1704-5-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1704-6-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1704-8-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1704-10-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1704-13-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/4136-9-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/4136-0-0x0000000074DE2000-0x0000000074DE3000-memory.dmp

Filesize
4KB

Download
memory/4136-2-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/4136-1-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/4912-11-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/4912-16-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download

description	pid	process	target process
PID 4136 wrote to memory of 1704	4136	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe
PID 4136 wrote to memory of 1704	4136	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe
PID 4136 wrote to memory of 1704	4136	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe
PID 4136 wrote to memory of 1704	4136	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe
PID 4136 wrote to memory of 1704	4136	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe
PID 4136 wrote to memory of 1704	4136	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe
PID 4136 wrote to memory of 1704	4136	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe
PID 4136 wrote to memory of 1704	4136	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe
PID 4136 wrote to memory of 1704	4136	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe
PID 4136 wrote to memory of 1704	4136	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe
PID 4136 wrote to memory of 1704	4136	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe
PID 4136 wrote to memory of 1704	4136	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe
PID 4136 wrote to memory of 1704	4136	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe
PID 1704 wrote to memory of 4912	1704	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	svchost.exe
PID 1704 wrote to memory of 4912	1704	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	svchost.exe
PID 1704 wrote to memory of 4912	1704	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	svchost.exe
PID 1704 wrote to memory of 4912	1704	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	svchost.exe
PID 1704 wrote to memory of 1452	1704	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	notepad.exe
PID 1704 wrote to memory of 1452	1704	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	notepad.exe
PID 1704 wrote to memory of 1452	1704	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	notepad.exe
PID 1704 wrote to memory of 1452	1704	8d087c1bd01b5abe21fdbaa3ccd47fb5_JaffaCakes118.exe	notepad.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads