xtremerat | ed592745082654d911f9772af28ab85a29f155a358c8e5bf761f2c58d24ebaaf

General

Target

8e887fd1b8c409695e6410269e6968a9_JaffaCakes118.exe
Size

4.2MB
MD5

8e887fd1b8c409695e6410269e6968a9
SHA1

73284fbd809be6ef0e52fa7caa3ab665e8b68fdb
SHA256

ed592745082654d911f9772af28ab85a29f155a358c8e5bf761f2c58d24ebaaf
SHA512

0205cca408651caef44ffd6cee5f2f7a9ca672648676aa053c10c80d20b1c900233211f35c4edfbe9f089fa7c5e0d75191459670c4f78dae3c9e7412107cbd6d
SSDEEP

98304:S556NtlDeQGxsUtkfM3IkwA7N7a/KrrBqgxstvCBH:SiNtl1GxftIA7UyrkgxmvCV

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Extracted

Family

xtremerat

C2

renansoares1209.ddns.net

Signatures

Detect XtremeRAT payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\crypted.exe	family_xtremerat
behavioral2/memory/4624-46-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/4624-49-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/4576-50-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/4576-52-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/4576-54-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

crypted.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{J7MYX2UB-K60C-A1O2-Y264-CMB54M00BT77}	crypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{J7MYX2UB-K60C-A1O2-Y264-CMB54M00BT77}\StubPath = "C:\\Windows\\system32\\Windows\\taskhost.exe restart"	crypted.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8e887fd1b8c409695e6410269e6968a9_JaffaCakes118.exeCDS.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	8e887fd1b8c409695e6410269e6968a9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	CDS.exe

Executes dropped EXE 2 IoCs

Processes:

CDS.execrypted.exe

pid process

3504 CDS.exe
4576 crypted.exe
Loads dropped DLL 1 IoCs

Processes:

CDS.exe

pid process

3504 CDS.exe

pid	process
3504	CDS.exe
4576	crypted.exe

pid	process
3504	CDS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

crypted.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windows update = "C:\\Windows\\system32\\Windows\\taskhost.exe"	crypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows update = "C:\\Windows\\system32\\Windows\\taskhost.exe"	crypted.exe

Drops file in System32 directory 3 IoCs

Processes:

crypted.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Windows\taskhost.exe	crypted.exe
File created	C:\Windows\SysWOW64\Windows\taskhost.exe	crypted.exe
File opened for modification	C:\Windows\SysWOW64\Windows\	crypted.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3448 4624 WerFault.exe svchost.exe
2888 4624 WerFault.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

CDS.exe

pid process

3504 CDS.exe
3504 CDS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 892 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 892 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

CDS.execrypted.exe

pid process

3504 CDS.exe
3504 CDS.exe
4576 crypted.exe

pid	pid_target	process	target process
3448	4624	WerFault.exe	svchost.exe
2888	4624	WerFault.exe	svchost.exe

pid	process
3504	CDS.exe
3504	CDS.exe

description	pid	process
Token: 33	892	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	892	AUDIODG.EXE

pid	process
3504	CDS.exe
3504	CDS.exe
4576	crypted.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

8e887fd1b8c409695e6410269e6968a9_JaffaCakes118.exeCDS.execrypted.exe

description	pid	process	target process
PID 3256 wrote to memory of 3504	3256	8e887fd1b8c409695e6410269e6968a9_JaffaCakes118.exe	CDS.exe
PID 3256 wrote to memory of 3504	3256	8e887fd1b8c409695e6410269e6968a9_JaffaCakes118.exe	CDS.exe
PID 3256 wrote to memory of 3504	3256	8e887fd1b8c409695e6410269e6968a9_JaffaCakes118.exe	CDS.exe
PID 3504 wrote to memory of 4576	3504	CDS.exe	crypted.exe
PID 3504 wrote to memory of 4576	3504	CDS.exe	crypted.exe
PID 3504 wrote to memory of 4576	3504	CDS.exe	crypted.exe
PID 4576 wrote to memory of 4624	4576	crypted.exe	svchost.exe
PID 4576 wrote to memory of 4624	4576	crypted.exe	svchost.exe
PID 4576 wrote to memory of 4624	4576	crypted.exe	svchost.exe
PID 4576 wrote to memory of 4624	4576	crypted.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\8e887fd1b8c409695e6410269e6968a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8e887fd1b8c409695e6410269e6968a9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Users\Admin\AppData\Local\Temp\CDS.exe
  "C:\Users\Admin\AppData\Local\Temp\CDS.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Users\Admin\AppData\Local\Temp\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\crypted.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:4624
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 508
        5⤵
        Program crash
        
        PID:3448
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 516
        5⤵
        Program crash
        
        PID:2888

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498 0x448
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4624 -ip 4624
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4624 -ip 4624
1⤵
PID:3424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\630_10.png

Filesize
2KB

MD5
340b294efc691d1b20c64175d565ebc7

SHA1
81cb9649bd1c9a62ae79e781818fc24d15c29ce7

SHA256
72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

SHA512
1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDS.cdd

Filesize
13KB

MD5
3e7ecaeb51c2812d13b07ec852d74aaf

SHA1
e9bdab93596ffb0f7f8c65243c579180939acb26

SHA256
e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

SHA512
635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDS.exe

Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.dat

Filesize
65KB

MD5
f3149545e57b32e2a609e4fdf1321ade

SHA1
2f608ce129498331cc8d065b5e62345edd3545da

SHA256
5ccb0678cc14a1525580cf9064a0381dd7a34508885f8d4a10760691ed28b1fc

SHA512
97051f4e59874535e544e10d2b8347fe8b087e032649c8e05c1f8ca64fbf62cc1e3222be4fa58e518e758df8718a5b576a25fe609e77bf087bb04e1aee5e233d

Download Submit
C:\Users\Admin\AppData\Local\Temp\crypted.exe

Filesize
65KB

MD5
32278c05d9a281b87daa3102d96a8664

SHA1
1f724e49cb181aeb8f70608e12143b4188b948ca

SHA256
c0cbda8fe995c49475a36455ac0bc2c9a2a5f6b432fd8f1dc21808f2dac98a58

SHA512
2c4bd1487d987bcc59d1c0ec5c5248404c91341d2469e05de611b0b88772b94686d184014e96988814b6a0c3793b94de7dcedc31ef7592a465871c46f4f6e6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\fs.settings

Filesize
5B

MD5
68934a3e9455fa72420237eb05902327

SHA1
7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

SHA256
fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

SHA512
719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lua5.1.dll

Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
memory/4576-50-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/4576-52-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/4576-54-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/4624-46-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/4624-49-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads