xtremerat | 96bd83c30943e45b4bfd457aecccbc05f041f897da86340d5be89280d50c486e

General

Target

4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
Size

3.7MB
MD5

4a12be812cd0675296bd5846528b5dac
SHA1

e1609ddc6315ec0f28b088ff0cd7fd21faa83834
SHA256

96bd83c30943e45b4bfd457aecccbc05f041f897da86340d5be89280d50c486e
SHA512

1f5f51f3522daab1feae6f8e97a58dfb41463ca03bbba689c2ce1569a04ac9d6445cd9624792d263484f8aa5077b22ae6899a2cdd36cdcb7d5e016b7b607cf66
SSDEEP

24576:lAHnh+eWsN3skA4RV1Hom2KXMmHa0ifaOza5Gmuk0eJSKTXyxcdgdfQCdaQ6+RRE:Uh+ZkldoPK8Ya055

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Extracted

Family

xtremerat

C2

dferwest.net

Signatures

Detect XtremeRAT payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3036-14-0x0000000000550000-0x00000000006CA000-memory.dmp	family_xtremerat
behavioral1/memory/3036-13-0x0000000000550000-0x00000000006CA000-memory.dmp	family_xtremerat
behavioral1/memory/3036-1-0x0000000000550000-0x00000000006CA000-memory.dmp	family_xtremerat
behavioral1/memory/2888-23-0x0000000000550000-0x00000000006CA000-memory.dmp	family_xtremerat
behavioral1/memory/2300-27-0x0000000000550000-0x00000000006CA000-memory.dmp	family_xtremerat
behavioral1/memory/2300-29-0x0000000000550000-0x00000000006CA000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{551C3BC0-Y7IO-LTET-43I5-RA161P6RC85W}	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{551C3BC0-Y7IO-LTET-43I5-RA161P6RC85W}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{551C3BC0-Y7IO-LTET-43I5-RA161P6RC85W}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{551C3BC0-Y7IO-LTET-43I5-RA161P6RC85W}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	svchost.exe

Executes dropped EXE 7 IoCs

Processes:

476ysdew.exe476ysdew.exe476ysdew.exe476ysdew.exe476ysdew.exe476ysdew.exe476ysdew.exe

pid process

2532 476ysdew.exe
2196 476ysdew.exe
2688 476ysdew.exe
2984 476ysdew.exe
2508 476ysdew.exe
2460 476ysdew.exe
2448 476ysdew.exe

pid	process
2532	476ysdew.exe
2196	476ysdew.exe
2688	476ysdew.exe
2984	476ysdew.exe
2508	476ysdew.exe
2460	476ysdew.exe
2448	476ysdew.exe

Loads dropped DLL 7 IoCs

Processes:

4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe476ysdew.exe

pid	process
3036	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
2532	476ysdew.exe
2532	476ysdew.exe
2532	476ysdew.exe
2532	476ysdew.exe
2532	476ysdew.exe
2532	476ysdew.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Windows\InstallDir\Server.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\476ysdew.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe

description	pid	process	target process
PID 3040 set thread context of 3036	3040	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

Processes:

4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\InstallDir\Server.exe	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
File created	C:\Windows\InstallDir\Server.exe	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
File opened for modification	C:\Windows\InstallDir\	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe476ysdew.exe

pid	process
3040	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
3040	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
3040	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
2532	476ysdew.exe
2532	476ysdew.exe
2532	476ysdew.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe476ysdew.exe

pid	process
3040	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
3040	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
3040	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
2532	476ysdew.exe
2532	476ysdew.exe
2532	476ysdew.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

2300 explorer.exe

pid	process
2300	explorer.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe476ysdew.exe

description	pid	process	target process
PID 3040 wrote to memory of 3036	3040	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
PID 3040 wrote to memory of 3036	3040	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
PID 3040 wrote to memory of 3036	3040	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
PID 3040 wrote to memory of 3036	3040	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
PID 3040 wrote to memory of 3036	3040	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
PID 3040 wrote to memory of 3036	3040	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
PID 3036 wrote to memory of 2888	3036	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	svchost.exe
PID 3036 wrote to memory of 2888	3036	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	svchost.exe
PID 3036 wrote to memory of 2888	3036	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	svchost.exe
PID 3036 wrote to memory of 2888	3036	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	svchost.exe
PID 3036 wrote to memory of 2888	3036	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	svchost.exe
PID 3036 wrote to memory of 2744	3036	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	iexplore.exe
PID 3036 wrote to memory of 2744	3036	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	iexplore.exe
PID 3036 wrote to memory of 2744	3036	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	iexplore.exe
PID 3036 wrote to memory of 2744	3036	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	iexplore.exe
PID 3036 wrote to memory of 2300	3036	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	explorer.exe
PID 3036 wrote to memory of 2300	3036	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	explorer.exe
PID 3036 wrote to memory of 2300	3036	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	explorer.exe
PID 3036 wrote to memory of 2300	3036	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	explorer.exe
PID 3036 wrote to memory of 2300	3036	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	explorer.exe
PID 3036 wrote to memory of 2532	3036	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	476ysdew.exe
PID 3036 wrote to memory of 2532	3036	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	476ysdew.exe
PID 3036 wrote to memory of 2532	3036	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	476ysdew.exe
PID 3036 wrote to memory of 2532	3036	4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe	476ysdew.exe
PID 2532 wrote to memory of 2196	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2196	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2196	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2196	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2688	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2688	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2688	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2688	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2984	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2984	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2984	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2984	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2508	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2508	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2508	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2508	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2460	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2460	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2460	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2460	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2448	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2448	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2448	2532	476ysdew.exe	476ysdew.exe
PID 2532 wrote to memory of 2448	2532	476ysdew.exe	476ysdew.exe

C:\Users\Admin\AppData\Local\Temp\4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4a12be812cd0675296bd5846528b5dac_JaffaCakes118.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    PID:2888
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2300
- - C:\Users\Admin\AppData\Local\Temp\476ysdew.exe
    "C:\Users\Admin\AppData\Local\Temp\476ysdew.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\476ysdew.exe
      "C:\Users\Admin\AppData\Local\Temp\476ysdew.exe"
      4⤵
      Executes dropped EXE
      PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\476ysdew.exe
      "C:\Users\Admin\AppData\Local\Temp\476ysdew.exe"
      4⤵
      Executes dropped EXE
      PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\476ysdew.exe
      "C:\Users\Admin\AppData\Local\Temp\476ysdew.exe"
      4⤵
      Executes dropped EXE
      PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\476ysdew.exe
      "C:\Users\Admin\AppData\Local\Temp\476ysdew.exe"
      4⤵
      Executes dropped EXE
      PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\476ysdew.exe
      "C:\Users\Admin\AppData\Local\Temp\476ysdew.exe"
      4⤵
      Executes dropped EXE
      PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\476ysdew.exe
      "C:\Users\Admin\AppData\Local\Temp\476ysdew.exe"
      4⤵
      Executes dropped EXE
      PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\476ysdew.exe

Filesize
1.4MB

MD5
16999cb991e710ce52bb229edcbb08e6

SHA1
25cc4dd8bd104a9f2e173b4d04a49d4da5971a78

SHA256
9985be36ed003ca85d3ac687251d7e00294d60d3afd2ad521cffa8c41ce1f048

SHA512
4218ba5e7dc8c2e486f8d82e4ba9101c210395616f2f649577d92557247673eb497014e3b28ee335ea1e36d66c3089dbc1e70f3e6bad167a1c40c3a0288b19d6

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
3.7MB

MD5
4a12be812cd0675296bd5846528b5dac

SHA1
e1609ddc6315ec0f28b088ff0cd7fd21faa83834

SHA256
96bd83c30943e45b4bfd457aecccbc05f041f897da86340d5be89280d50c486e

SHA512
1f5f51f3522daab1feae6f8e97a58dfb41463ca03bbba689c2ce1569a04ac9d6445cd9624792d263484f8aa5077b22ae6899a2cdd36cdcb7d5e016b7b607cf66

Download Submit
memory/2300-27-0x0000000000550000-0x00000000006CA000-memory.dmp

Filesize
1.5MB

Download
memory/2300-29-0x0000000000550000-0x00000000006CA000-memory.dmp

Filesize
1.5MB

Download
memory/2888-23-0x0000000000550000-0x00000000006CA000-memory.dmp

Filesize
1.5MB

Download
memory/3036-0-0x0000000000550000-0x00000000006CA000-memory.dmp

Filesize
1.5MB

Download
memory/3036-10-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3036-14-0x0000000000550000-0x00000000006CA000-memory.dmp

Filesize
1.5MB

Download
memory/3036-13-0x0000000000550000-0x00000000006CA000-memory.dmp

Filesize
1.5MB

Download
memory/3036-1-0x0000000000550000-0x00000000006CA000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads