xtremerat | e8162f1766459e6ef57b0063938da6cab886743ee5c5669233424855c8098f8f

General

Target

2d7839f3fc66dceee05dd4da03474675_JaffaCakes118.exe
Size

585KB
MD5

2d7839f3fc66dceee05dd4da03474675
SHA1

a831c9b8b6d33f19cd77acfedc4bd2a55989139b
SHA256

e8162f1766459e6ef57b0063938da6cab886743ee5c5669233424855c8098f8f
SHA512

54d64c6f6785589074b235cb06d0f80288b7e6937c2e161f7a8239686f9f3b0dc9ea237912b6f47647541cfe08bb4e552ba8810d3c0ae965e95951a9300417d3
SSDEEP

6144:6aKMSD4Yuaezwp0yN90QEwuzJq/fdlGFlxhlXmEjycLT:jK3D4laoy90lefdcFlxTXmEjBL

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

C2

server1231.no-ip.info

Signatures

Detect XtremeRAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/4296-8-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/3484-9-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/4296-17-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Executes dropped EXE 3 IoCs

pid	Process
3484	server.exe
4020	NIGHTH~1.EXE
3208	nighthawk32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023427-5.dat	upx
behavioral2/memory/3484-6-0x0000000010000000-0x000000001004A000-memory.dmp	upx
behavioral2/memory/4296-8-0x0000000010000000-0x000000001004A000-memory.dmp	upx
behavioral2/memory/3484-9-0x0000000010000000-0x000000001004A000-memory.dmp	upx
behavioral2/memory/4296-17-0x0000000010000000-0x000000001004A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2d7839f3fc66dceee05dd4da03474675_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nighthawk = "C:\\Users\\Admin\\AppData\\Local\\nighthawk\\nighthawk32.exe"	nighthawk32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2156	4296	WerFault.exe	84
5112	4296	WerFault.exe	84

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 3484	4100	2d7839f3fc66dceee05dd4da03474675_JaffaCakes118.exe	82
PID 4100 wrote to memory of 3484	4100	2d7839f3fc66dceee05dd4da03474675_JaffaCakes118.exe	82
PID 4100 wrote to memory of 3484	4100	2d7839f3fc66dceee05dd4da03474675_JaffaCakes118.exe	82
PID 3484 wrote to memory of 4296	3484	server.exe	84
PID 3484 wrote to memory of 4296	3484	server.exe	84
PID 3484 wrote to memory of 4296	3484	server.exe	84
PID 3484 wrote to memory of 4296	3484	server.exe	84
PID 3484 wrote to memory of 1944	3484	server.exe	86
PID 3484 wrote to memory of 1944	3484	server.exe	86
PID 3484 wrote to memory of 1944	3484	server.exe	86
PID 4100 wrote to memory of 4020	4100	2d7839f3fc66dceee05dd4da03474675_JaffaCakes118.exe	90
PID 4100 wrote to memory of 4020	4100	2d7839f3fc66dceee05dd4da03474675_JaffaCakes118.exe	90
PID 4100 wrote to memory of 4020	4100	2d7839f3fc66dceee05dd4da03474675_JaffaCakes118.exe	90
PID 4020 wrote to memory of 3208	4020	NIGHTH~1.EXE	92
PID 4020 wrote to memory of 3208	4020	NIGHTH~1.EXE	92
PID 4020 wrote to memory of 3208	4020	NIGHTH~1.EXE	92

C:\Users\Admin\AppData\Local\Temp\2d7839f3fc66dceee05dd4da03474675_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d7839f3fc66dceee05dd4da03474675_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:4296
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 480
      4⤵
      Program crash
      PID:2156
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 488
      4⤵
      Program crash
      PID:5112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1944
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NIGHTH~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NIGHTH~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Users\Admin\AppData\Local\nighthawk\nighthawk32.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NIGHTH~1.EXE
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4296 -ip 4296
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4296 -ip 4296
1⤵
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NIGHTH~1.EXE

Filesize
173KB

MD5
5be10333af9a8175f9aeca08cd291654

SHA1
a3d33d89ca1f7ab70252bb17014060d3012481ee

SHA256
eb6bdc733456acbef52bf34ca3bfe2299d49b41112f84fb9fadf87de6e1e1325

SHA512
ed0e77b315ff2473e96385237cddc4d0359aff207b50625615bf1064826857913353542966f72782e2009fd7ac42f70a763d2fb8b4bb2f0a64cd937bf2290ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
30KB

MD5
d5e2d776baecf34f15876bcf50b894e4

SHA1
066a7ddf44ceb7e066c230fb78cbbde7724e1c0e

SHA256
d1c20ec717073aae44ff205d31a269b2fac8e2708f726abf7da92b3232ed76da

SHA512
40304ba459bc145537cf19def8b7d8b17872e27ff7b56ac5a304b341d71adeaf072f2ba88f51d77568b027320948bb45dfe04c3ee11657e2ece26e1af7e2d4e6

Download Submit
memory/3484-6-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/3484-9-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/4296-8-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/4296-17-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads