xtremerat | c01c3e39933ccfedaf1d766903232ada996f71ee79187a2cb420219000c97d21

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe
Size

45KB
MD5

a8b06620e9629037953a3a5bc07a0b60
SHA1

08c35cd4abf5e0945182079e24ec190d97225775
SHA256

c01c3e39933ccfedaf1d766903232ada996f71ee79187a2cb420219000c97d21
SHA512

042cfac252c4ceb55b9b7e5fb7f23d5686c4b3aeca68b2b093a3dce78d29f89f66745e685a9cefdb07db1dcf69a2daaa4286af185a2f9cc6040d3cbc5c0b9b50
SSDEEP

768:DBr+tjFKsusi02s2VzfoFTrS75YAU074/uhXtYCpP0zo3rI:tyRQsiNVzwFfS75YAU08mhX5co7I

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Extracted

Family

xtremerat

wesam.no-ip.org

slator.com

Signatures

Detect XtremeRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4596-6-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral2/memory/4596-8-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

Processes:

a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\InstallDir\Server.exe	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe
File created	C:\Windows\InstallDir\Server.exe	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe
File opened for modification	C:\Windows\InstallDir\	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe

pid process

4596 a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe

pid	process
4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe

description	pid	process	target process
PID 4596 wrote to memory of 2708	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 2708	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 4648	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 4648	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 4648	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 3524	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 3524	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 2420	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 2420	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 2420	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 652	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 652	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 3204	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 3204	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 3204	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 1748	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 1748	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 2476	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 2476	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 2476	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 4128	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 4128	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 416	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 416	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 416	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 3988	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 3988	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 1568	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 1568	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 1568	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 2324	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 2324	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 5036	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 5036	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 5036	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 3264	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 3264	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 1752	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 1752	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 1752	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 2620	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 2620	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 4640	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 4640	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 4640	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 2644	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 2644	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 3432	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 3432	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 3432	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 1892	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 1892	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 1092	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 1092	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 1092	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 2536	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 2536	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 1556	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 1556	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 1556	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 3692	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 3692	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	msedge.exe
PID 4596 wrote to memory of 3092	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe
PID 4596 wrote to memory of 3092	4596	a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8b06620e9629037953a3a5bc07a0b60_JaffaCakes118.exe"
1⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:2708
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:3524
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:652
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:1748
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:4128
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:3988
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:2324
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:3264
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:2620
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:2644
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:1892
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:2536
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:3692
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:3884
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:4336
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:3456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4596-6-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/4596-8-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download