xtremerat | d8f930172b112f39b14280db5559629cef31daaa253c4da61fc030bdf75709e0

General

Target

392f21ba73924a229a8b33a6bf35dd81_JaffaCakes118.exe
Size

374KB
MD5

392f21ba73924a229a8b33a6bf35dd81
SHA1

1fc3fc8b5e09819a743ed22aafd67c6f75f2bdfc
SHA256

d8f930172b112f39b14280db5559629cef31daaa253c4da61fc030bdf75709e0
SHA512

a7491cc15b03937f5410acdd9ffdfc7a138930efcf7548f91468fc1b4522f3a0eb0399b9d6ab7a878e78e7572953a89bc463826d72c4423607b460b6c82f08b3
SSDEEP

6144:aeHjx2pJNHZCYJBJl1UU2O4cBTJhv4s5C8s9vCLAes5VI8s6zXI:nHjmJDrU+Dv4KpsR0AJY8Hz4

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

C2

teschio77.no-ip.org

Signatures

Detect XtremeRAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/2468-8-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/2468-7-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/2468-12-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/2788-13-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Executes dropped EXE 3 IoCs

pid	Process
2468	xgh628A.tmp
2704	xgh628A.tmp
2796	6r464FA.tmp

Loads dropped DLL 3 IoCs

pid	Process
2160	392f21ba73924a229a8b33a6bf35dd81_JaffaCakes118.exe
2468	xgh628A.tmp
2468	xgh628A.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\摵慰整 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\392f21ba73924a229a8b33a6bf35dd81_JaffaCakes118.exe\""	6r464FA.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\摵慰整 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\392f21ba73924a229a8b33a6bf35dd81_JaffaCakes118.exe\""	6r464FA.tmp

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2468-8-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2468-7-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2468-6-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2468-12-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2788-13-0x0000000010000000-0x000000001004D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	392f21ba73924a229a8b33a6bf35dd81_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xgh628A.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2468	2160	392f21ba73924a229a8b33a6bf35dd81_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2468	2160	392f21ba73924a229a8b33a6bf35dd81_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2468	2160	392f21ba73924a229a8b33a6bf35dd81_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2468	2160	392f21ba73924a229a8b33a6bf35dd81_JaffaCakes118.exe	30
PID 2468 wrote to memory of 2704	2468	xgh628A.tmp	31
PID 2468 wrote to memory of 2704	2468	xgh628A.tmp	31
PID 2468 wrote to memory of 2704	2468	xgh628A.tmp	31
PID 2468 wrote to memory of 2704	2468	xgh628A.tmp	31
PID 2468 wrote to memory of 2796	2468	xgh628A.tmp	32
PID 2468 wrote to memory of 2796	2468	xgh628A.tmp	32
PID 2468 wrote to memory of 2796	2468	xgh628A.tmp	32
PID 2468 wrote to memory of 2796	2468	xgh628A.tmp	32
PID 2468 wrote to memory of 2788	2468	xgh628A.tmp	33
PID 2468 wrote to memory of 2788	2468	xgh628A.tmp	33
PID 2468 wrote to memory of 2788	2468	xgh628A.tmp	33
PID 2468 wrote to memory of 2788	2468	xgh628A.tmp	33
PID 2468 wrote to memory of 2788	2468	xgh628A.tmp	33
PID 2468 wrote to memory of 2472	2468	xgh628A.tmp	34
PID 2468 wrote to memory of 2472	2468	xgh628A.tmp	34
PID 2468 wrote to memory of 2472	2468	xgh628A.tmp	34
PID 2468 wrote to memory of 2472	2468	xgh628A.tmp	34
PID 2468 wrote to memory of 2472	2468	xgh628A.tmp	34

C:\Users\Admin\AppData\Local\Temp\392f21ba73924a229a8b33a6bf35dd81_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\392f21ba73924a229a8b33a6bf35dd81_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\xgh628A.tmp
  C:\Users\Admin\AppData\Local\Temp\xgh628A.tmp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Local\Temp\xgh628A.tmp
    C:\Users\Admin\AppData\Local\Temp\xgh628A.tmp
    3⤵
    - Executes dropped EXE
    PID:2704
- - C:\Users\Admin\AppData\Local\Temp\6r464FA.tmp
    C:\Users\Admin\AppData\Local\Temp\6r464FA.tmp "C:\Users\Admin\AppData\Local\Temp\392f21ba73924a229a8b33a6bf35dd81_JaffaCakes118.exe" 3 摵慰整摵慰整
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2796
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\6r464FA.tmp

Filesize
34KB

MD5
91e85bdf8f3e7df5c243126fda9122a3

SHA1
8158cf5797085e91fda1edd0fb9b5890a4178899

SHA256
53cce0fd9285ec1696922d0da8f249ffad078a3afbab349bf864209ae06c2230

SHA512
c1327669fd1279d0f053f8eb4d7304002c23cdf4b9641e8eb1041fedef0267430afa211be72297ef1e220c2f332a00b533219662cda4f4833303ffb79fc65eae

Download Submit
\Users\Admin\AppData\Local\Temp\xgh628A.tmp

Filesize
85KB

MD5
0f07ff2024ef2f9082000863d4a15ef0

SHA1
44a776d42ee3279cbef92ec4a7f08d336d2483a3

SHA256
d79e66dab202156e49e4b0e4946a71b5891b1f2a423af61c705b08b160a967f0

SHA512
6397e5141b319e674d80d91a710447fb44784aea83f421bb1eacbdc8b9d9052ce1d2507329c3c35a5513ab36dda7372c8ce319dbec0ca6f74c9d589920e092b0

Download Submit
memory/2468-8-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2468-7-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2468-6-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2468-12-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2788-9-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2788-13-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads