xtremerat | 18f9f7cd091b2f0cbc1b1e88e5839381b30520ec6286443752ac91704b1ad708

General

Target

b7a9b374c0668eb956b6f4d48334d7fc_JaffaCakes118.exe
Size

52KB
MD5

b7a9b374c0668eb956b6f4d48334d7fc
SHA1

1787347f22cd25838f663ded0fb03f95b413d102
SHA256

18f9f7cd091b2f0cbc1b1e88e5839381b30520ec6286443752ac91704b1ad708
SHA512

6ae953f7db33c60f386001a57d5767f182eab2a8f65aa022f0e3a8ac07b4261e0d6836dada68bfac98b59d898092639d0f34ec73c0fd6cbbe0d655247e7c814a
SSDEEP

768:/ZMuijtHf5g7/IIG3bGcYDBSvFIWuePQtv66lzotz7eoxN3iAK2f:/SNW71rcYDAWeotvXlKRf

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/3052-25-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/2604-26-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Executes dropped EXE 1 IoCs

pid	Process
2604	serve1r (2).exe

Loads dropped DLL 4 IoCs

pid	Process
2900	b7a9b374c0668eb956b6f4d48334d7fc_JaffaCakes118.exe
2900	b7a9b374c0668eb956b6f4d48334d7fc_JaffaCakes118.exe
2900	b7a9b374c0668eb956b6f4d48334d7fc_JaffaCakes118.exe
2900	b7a9b374c0668eb956b6f4d48334d7fc_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016cdf-6.dat	upx
behavioral1/memory/2900-9-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/3052-25-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2604-26-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7a9b374c0668eb956b6f4d48334d7fc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	serve1r (2).exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2900	b7a9b374c0668eb956b6f4d48334d7fc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2604	2900	b7a9b374c0668eb956b6f4d48334d7fc_JaffaCakes118.exe	30
PID 2900 wrote to memory of 2604	2900	b7a9b374c0668eb956b6f4d48334d7fc_JaffaCakes118.exe	30
PID 2900 wrote to memory of 2604	2900	b7a9b374c0668eb956b6f4d48334d7fc_JaffaCakes118.exe	30
PID 2900 wrote to memory of 2604	2900	b7a9b374c0668eb956b6f4d48334d7fc_JaffaCakes118.exe	30
PID 2604 wrote to memory of 3052	2604	serve1r (2).exe	31
PID 2604 wrote to memory of 3052	2604	serve1r (2).exe	31
PID 2604 wrote to memory of 3052	2604	serve1r (2).exe	31
PID 2604 wrote to memory of 3052	2604	serve1r (2).exe	31
PID 2604 wrote to memory of 3052	2604	serve1r (2).exe	31
PID 2604 wrote to memory of 568	2604	serve1r (2).exe	32
PID 2604 wrote to memory of 568	2604	serve1r (2).exe	32
PID 2604 wrote to memory of 568	2604	serve1r (2).exe	32
PID 2604 wrote to memory of 568	2604	serve1r (2).exe	32
PID 2604 wrote to memory of 568	2604	serve1r (2).exe	32

C:\Users\Admin\AppData\Local\Temp\b7a9b374c0668eb956b6f4d48334d7fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7a9b374c0668eb956b6f4d48334d7fc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\serve1r (2).exe
  "C:\Users\Admin\AppData\Local\Temp\serve1r (2).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3052
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\serve1r (2).exe

Filesize
33KB

MD5
8edea4159999b69e6c14f1c308e06ddb

SHA1
03389088047651864a67e49e09d211d01c95a2a3

SHA256
99a78e493aaf7bb1c91eee32936d60064de372ba761497dedfa47f7ea544b3b5

SHA512
b28ebd734f669ac5250979035014363ba718709fbc466a564ed959b4ca86a00aee64324bfcdbaf835ab9f2489671fe117e97537458904de6b308fdb0dba746a7

Download Submit
memory/2604-26-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2900-9-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2900-20-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2900-22-0x0000000004A90000-0x0000000004A92000-memory.dmp

Filesize
8KB

Download
memory/3052-25-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing