xtremerat | db7a9de95042c2553e5b38f1b3743a65f75e8d799c518da5f3031992ffb52ef7

Resubmissions

15/07/2024, 07:33

240715-jdgyzaveqk 10

15/07/2024, 07:22

240715-h7btdaxflh 10

Analysis

max time kernel
6s
max time network
10s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 07:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

48c92021936b6d3e8bdd9a292d36600d_JaffaCakes118.exe
Size

1.4MB
MD5

48c92021936b6d3e8bdd9a292d36600d
SHA1

a45b7ec3ec2091f39d2fe00ce8cb86b5c12cb658
SHA256

db7a9de95042c2553e5b38f1b3743a65f75e8d799c518da5f3031992ffb52ef7
SHA512

2f8db1c64d5b24792a3e7e4cc6d8deb8d521af7cbdc9c13c50214dc421919c40e92bbf196ef64a0a30e9c58b18784e2173be837806c2c8455bb085a1164e0310
SSDEEP

24576:f5KoEz02RxcvKzRZwmpgYB3xlr1Xj/24zUg5paADTeut8t:gzLxbzR+mjNTrZlzUGaADTeI8t

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00090000000234bb-6.dat	family_xtremerat
behavioral1/memory/1564-20-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	1.exe

Executes dropped EXE 3 IoCs

pid	Process
1564	1.exe
1356	Server.exe
3360	IDMan.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	48c92021936b6d3e8bdd9a292d36600d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	1.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\Server.exe	1.exe
File created	C:\Windows\InstallDir\Server.exe	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2176	1564	WerFault.exe	86
3120	1564	WerFault.exe	86

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 1564	2468	48c92021936b6d3e8bdd9a292d36600d_JaffaCakes118.exe	86
PID 2468 wrote to memory of 1564	2468	48c92021936b6d3e8bdd9a292d36600d_JaffaCakes118.exe	86
PID 2468 wrote to memory of 1564	2468	48c92021936b6d3e8bdd9a292d36600d_JaffaCakes118.exe	86
PID 1564 wrote to memory of 3112	1564	1.exe	87
PID 1564 wrote to memory of 3112	1564	1.exe	87
PID 1564 wrote to memory of 3112	1564	1.exe	87
PID 1564 wrote to memory of 3604	1564	1.exe	88
PID 1564 wrote to memory of 3604	1564	1.exe	88
PID 1564 wrote to memory of 3604	1564	1.exe	88
PID 1564 wrote to memory of 1884	1564	1.exe	89
PID 1564 wrote to memory of 1884	1564	1.exe	89
PID 1564 wrote to memory of 1884	1564	1.exe	89
PID 1564 wrote to memory of 5116	1564	1.exe	90
PID 1564 wrote to memory of 5116	1564	1.exe	90
PID 1564 wrote to memory of 5116	1564	1.exe	90
PID 1564 wrote to memory of 4456	1564	1.exe	91
PID 1564 wrote to memory of 4456	1564	1.exe	91
PID 1564 wrote to memory of 4456	1564	1.exe	91
PID 1564 wrote to memory of 2496	1564	1.exe	92
PID 1564 wrote to memory of 2496	1564	1.exe	92
PID 1564 wrote to memory of 2496	1564	1.exe	92
PID 1564 wrote to memory of 4040	1564	1.exe	93
PID 1564 wrote to memory of 4040	1564	1.exe	93
PID 1564 wrote to memory of 4040	1564	1.exe	93
PID 1564 wrote to memory of 2640	1564	1.exe	94
PID 1564 wrote to memory of 2640	1564	1.exe	94
PID 1564 wrote to memory of 1356	1564	1.exe	95
PID 1564 wrote to memory of 1356	1564	1.exe	95
PID 1564 wrote to memory of 1356	1564	1.exe	95
PID 1356 wrote to memory of 2196	1356	Server.exe	99
PID 1356 wrote to memory of 2196	1356	Server.exe	99
PID 1356 wrote to memory of 2196	1356	Server.exe	99
PID 2468 wrote to memory of 3360	2468	48c92021936b6d3e8bdd9a292d36600d_JaffaCakes118.exe	102
PID 2468 wrote to memory of 3360	2468	48c92021936b6d3e8bdd9a292d36600d_JaffaCakes118.exe	102
PID 2468 wrote to memory of 3360	2468	48c92021936b6d3e8bdd9a292d36600d_JaffaCakes118.exe	102

C:\Users\Admin\AppData\Local\Temp\48c92021936b6d3e8bdd9a292d36600d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48c92021936b6d3e8bdd9a292d36600d_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:5116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2640
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1292
    3⤵
    - Program crash
    PID:2176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1284
    3⤵
    - Program crash
    PID:3120
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IDMan.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IDMan.exe
  2⤵
  - Executes dropped EXE
  PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1564 -ip 1564
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1564 -ip 1564
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
40KB

MD5
1517e0e93479d9ced563687c48de68dd

SHA1
b875915034df6fb8ac6aff44a756adcadcac1977

SHA256
5917e31c525f4389ee22bcd7c690416f6f42a41b4d93ac35b0596a20bafae099

SHA512
0cbd3824b22ae83f03576e1c5977f53db2336be0f428fd203a2829915d21911d197cf578e2ef22005c0ff7eec2cb6d69183c446d63c21425eb8d94f426b35283

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IDMan.exe

Filesize
3.0MB

MD5
6da127016f908379879bbdc2f05e8076

SHA1
098445c6d21260d44148279edeba7552ea8502e2

SHA256
ee6653548c9c75b9cc6e1329b710adcb0ac4b264927b409f490fa007d435a79b

SHA512
cf895d000c3f786f064bb0f7f8e5789e1968512c563d6b5588262f26095fbfee6bcb11b53002a343d223944cdd3b46f95273470c98fd3ff626ca9548e61789f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
dc614148e8873856ae597fc07e38eba2

SHA1
fe8337a3a21df96f8a934f43f75bf915d227ebca

SHA256
0f7bf0d058aaf9601685bf55186a8a633e32a9fefaa61fbf16b4b11920b207a6

SHA512
685efccfc8896d6de98e47423d4615cb832ab91ce2bc9c6e20601b44f818ff876f35f5ec87cad8da52900c852aaec08a5ed906a67d0aaf51923787e980a5ab92

Download Submit
memory/1564-20-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads