xtremerat | 771d7a35e4e0b3fa80116af4b5e80afaefd24244e586950fd064574a997f1d72

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe
Size

1.0MB
MD5

40d35f1f6e71d5be3166dead89573bc8
SHA1

5f6291b39dac2622a6ea97fbad8a7d4235797178
SHA256

771d7a35e4e0b3fa80116af4b5e80afaefd24244e586950fd064574a997f1d72
SHA512

2116a68b554746ef5abc743b8f885956b2b6626b4358ffb36d069d834fd3dc1d3f0ec4c9ee455e01ee755d529cee1d83d3179130dc94fed244e3b258195df409
SSDEEP

12288:wOqBSe3b7MFJb7Mtx45EACL9NZ8JZi6MPNUp/musajK9I1yG88F+Nqhs:RCStUM5qjZQi6SNesajK9I1i8Frm

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

youime.no-ip.info

Signatures

Detect XtremeRAT payload 6 IoCs

resource	yara_rule
behavioral1/memory/2244-11-0x0000000000C80000-0x0000000000D3B000-memory.dmp	family_xtremerat
behavioral1/memory/2244-10-0x0000000000C80000-0x0000000000D3B000-memory.dmp	family_xtremerat
behavioral1/memory/2208-17-0x0000000000C80000-0x0000000000D3B000-memory.dmp	family_xtremerat
behavioral1/memory/2208-26-0x0000000000C80000-0x0000000000D3B000-memory.dmp	family_xtremerat
behavioral1/memory/2208-20-0x0000000000C80000-0x0000000000D3B000-memory.dmp	family_xtremerat
behavioral1/memory/2208-34-0x0000000000C80000-0x0000000000D3B000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe

Executes dropped EXE 2 IoCs

pid	Process
2668	Server.exe
2576	Server.exe

Loads dropped DLL 2 IoCs

pid	Process
2208	explorer.exe
2208	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1868 set thread context of 2244	1868	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe	31
PID 2668 set thread context of 2576	2668	Server.exe	35
PID 2576 set thread context of 2608	2576	Server.exe	37

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2244-11-0x0000000000C80000-0x0000000000D3B000-memory.dmp	upx
behavioral1/memory/2244-10-0x0000000000C80000-0x0000000000D3B000-memory.dmp	upx
behavioral1/memory/2244-9-0x0000000000C80000-0x0000000000D3B000-memory.dmp	upx
behavioral1/memory/2244-5-0x0000000000C80000-0x0000000000D3B000-memory.dmp	upx
behavioral1/memory/2244-3-0x0000000000C80000-0x0000000000D3B000-memory.dmp	upx
behavioral1/memory/2244-1-0x0000000000C80000-0x0000000000D3B000-memory.dmp	upx
behavioral1/memory/2208-17-0x0000000000C80000-0x0000000000D3B000-memory.dmp	upx
behavioral1/memory/2208-26-0x0000000000C80000-0x0000000000D3B000-memory.dmp	upx
behavioral1/memory/2208-20-0x0000000000C80000-0x0000000000D3B000-memory.dmp	upx
behavioral1/memory/2208-34-0x0000000000C80000-0x0000000000D3B000-memory.dmp	upx
behavioral1/memory/2608-59-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral1/memory/2608-57-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral1/memory/2608-55-0x0000000001610000-0x0000000001712000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\Server.exe	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe
File created	C:\Windows\InstallDir\Server.exe	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2208	explorer.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2244	1868	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe	31
PID 1868 wrote to memory of 2244	1868	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe	31
PID 1868 wrote to memory of 2244	1868	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe	31
PID 1868 wrote to memory of 2244	1868	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe	31
PID 1868 wrote to memory of 2244	1868	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe	31
PID 1868 wrote to memory of 2244	1868	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe	31
PID 1868 wrote to memory of 2244	1868	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe	31
PID 1868 wrote to memory of 2244	1868	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe	31
PID 2244 wrote to memory of 1040	2244	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe	32
PID 2244 wrote to memory of 1040	2244	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe	32
PID 2244 wrote to memory of 1040	2244	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe	32
PID 2244 wrote to memory of 1040	2244	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe	32
PID 2244 wrote to memory of 2208	2244	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe	33
PID 2244 wrote to memory of 2208	2244	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe	33
PID 2244 wrote to memory of 2208	2244	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe	33
PID 2244 wrote to memory of 2208	2244	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe	33
PID 2244 wrote to memory of 2208	2244	40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe	33
PID 2208 wrote to memory of 2668	2208	explorer.exe	34
PID 2208 wrote to memory of 2668	2208	explorer.exe	34
PID 2208 wrote to memory of 2668	2208	explorer.exe	34
PID 2208 wrote to memory of 2668	2208	explorer.exe	34
PID 2668 wrote to memory of 2576	2668	Server.exe	35
PID 2668 wrote to memory of 2576	2668	Server.exe	35
PID 2668 wrote to memory of 2576	2668	Server.exe	35
PID 2668 wrote to memory of 2576	2668	Server.exe	35
PID 2668 wrote to memory of 2576	2668	Server.exe	35
PID 2668 wrote to memory of 2576	2668	Server.exe	35
PID 2668 wrote to memory of 2576	2668	Server.exe	35
PID 2668 wrote to memory of 2576	2668	Server.exe	35
PID 2576 wrote to memory of 2588	2576	Server.exe	36
PID 2576 wrote to memory of 2588	2576	Server.exe	36
PID 2576 wrote to memory of 2588	2576	Server.exe	36
PID 2576 wrote to memory of 2588	2576	Server.exe	36
PID 2576 wrote to memory of 2608	2576	Server.exe	37
PID 2576 wrote to memory of 2608	2576	Server.exe	37
PID 2576 wrote to memory of 2608	2576	Server.exe	37
PID 2576 wrote to memory of 2608	2576	Server.exe	37
PID 2576 wrote to memory of 2608	2576	Server.exe	37
PID 2576 wrote to memory of 2608	2576	Server.exe	37
PID 2576 wrote to memory of 2608	2576	Server.exe	37
PID 2576 wrote to memory of 2608	2576	Server.exe	37

C:\Users\Admin\AppData\Local\Temp\40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\40d35f1f6e71d5be3166dead89573bc8_JaffaCakes118.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2588
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
07813307a77b2fecea44690e4275c83c

SHA1
0f9208698b614e3a4f5808939f72c3eafb3ab050

SHA256
fa0f1d5480392605a594da258a56523d0a4b43b8936184c237df96ca9d0bc15d

SHA512
55245d8a8fea62cce9fc8f535bb974a3a6338bf22c40db341be468a0a9d42a2ea3a581e9a65d1fe2195086a60ed2a7bd12fc08b79d96d9bb2d03de60ffd06499

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).xtr

Filesize
343KB

MD5
6426d400c96fb9ffef4eaa54f6647f4c

SHA1
70a37871aff432790b6adf7d3fc4eb929476e082

SHA256
98bba0cf4c57ecd35b227f45e4aa6dd50ef7cfb1160235cc14687c96eb09fa3c

SHA512
2c8b4d3ab066cbfca6cf0c8d89d5044152b5e3d7100249cbedd1c816e3a4a94efc8bc6b79c1dab4bdf96e3ce476d6caccf625cfbe0aff3bf5e7a29dfcfa948c5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
1.0MB

MD5
40d35f1f6e71d5be3166dead89573bc8

SHA1
5f6291b39dac2622a6ea97fbad8a7d4235797178

SHA256
771d7a35e4e0b3fa80116af4b5e80afaefd24244e586950fd064574a997f1d72

SHA512
2116a68b554746ef5abc743b8f885956b2b6626b4358ffb36d069d834fd3dc1d3f0ec4c9ee455e01ee755d529cee1d83d3179130dc94fed244e3b258195df409

Download Submit
memory/1868-18-0x0000000023240000-0x0000000023299000-memory.dmp

Filesize
356KB

Download
memory/2208-17-0x0000000000C80000-0x0000000000D3B000-memory.dmp

Filesize
748KB

Download
memory/2208-34-0x0000000000C80000-0x0000000000D3B000-memory.dmp

Filesize
748KB

Download
memory/2208-20-0x0000000000C80000-0x0000000000D3B000-memory.dmp

Filesize
748KB

Download
memory/2208-26-0x0000000000C80000-0x0000000000D3B000-memory.dmp

Filesize
748KB

Download
memory/2244-5-0x0000000000C80000-0x0000000000D3B000-memory.dmp

Filesize
748KB

Download
memory/2244-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2244-3-0x0000000000C80000-0x0000000000D3B000-memory.dmp

Filesize
748KB

Download
memory/2244-0-0x0000000000C80000-0x0000000000D3B000-memory.dmp

Filesize
748KB

Download
memory/2244-9-0x0000000000C80000-0x0000000000D3B000-memory.dmp

Filesize
748KB

Download
memory/2244-10-0x0000000000C80000-0x0000000000D3B000-memory.dmp

Filesize
748KB

Download
memory/2244-11-0x0000000000C80000-0x0000000000D3B000-memory.dmp

Filesize
748KB

Download
memory/2244-1-0x0000000000C80000-0x0000000000D3B000-memory.dmp

Filesize
748KB

Download
memory/2608-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2608-54-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/2608-59-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/2608-57-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/2608-55-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/2668-36-0x0000000023240000-0x0000000023299000-memory.dmp

Filesize
356KB

Download
memory/2668-62-0x0000000023240000-0x0000000023299000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads