xtremerat | d9204eb999e60c80de07b91aedb4b2c620ef435206eaad6113c5a3adf93ac7ac

General

Target

5f5405cf899443cf16a1a09f73d2d6d2_JaffaCakes118.exe
Size

50KB
MD5

5f5405cf899443cf16a1a09f73d2d6d2
SHA1

3a110fcc33f7897c5765c4fa7b280a914aca142b
SHA256

d9204eb999e60c80de07b91aedb4b2c620ef435206eaad6113c5a3adf93ac7ac
SHA512

16665606a7b02a4f88e4b6bcbfa20f68f5aecbb96f4da8891446b1226e1fde19d10df7b04c07aba45e72e6bc3df66e5e11fa997bb152ac0a7db3ec6be47fb22d
SSDEEP

768:Fw3Ws7+7jpVj61ftgm8Xor0EEuoJ4wDyQzDWuegwYYExombyC48MWa3t2:FSWs78jc6m/quoaRweZYFxomW/vWY2

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

C2

pomen18.no-ip.org

pomen18.no-ip.org

궃 e耀纭᣷t耀壉⾛䋎뺑怘pomen18.no-ip.org

Signatures

Detect XtremeRAT payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3504-14-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/4504-15-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/1384-17-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/4504-18-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/4504-23-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/3504-25-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/4504-28-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart"	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

zao3tdvfvjt.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

pid process

1384 zao3tdvfvjt.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

pid	process
1384	zao3tdvfvjt.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek = "C:\\Windows\\system32\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek = "C:\\Windows\\system32\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe"	svchost.exe

Drops file in System32 directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\InstallDir\Server.exe	svchost.exe
File created	C:\Windows\SysWOW64\InstallDir\Server.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\InstallDir\	svchost.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\zao3tdvfvjt.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	upx
behavioral2/memory/1384-12-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/3504-14-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4504-15-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1384-17-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4504-18-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4504-23-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/3504-25-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4504-28-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2140	3504	WerFault.exe	svchost.exe
3388	4504	WerFault.exe	svchost.exe
1624	3504	WerFault.exe	svchost.exe
2912	4504	WerFault.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

zao3tdvfvjt.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$svchost.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zao3tdvfvjt.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

4504 svchost.exe

pid	process
4504	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

5f5405cf899443cf16a1a09f73d2d6d2_JaffaCakes118.exezao3tdvfvjt.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

description	pid	process	target process
PID 1828 wrote to memory of 1384	1828	5f5405cf899443cf16a1a09f73d2d6d2_JaffaCakes118.exe	zao3tdvfvjt.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
PID 1828 wrote to memory of 1384	1828	5f5405cf899443cf16a1a09f73d2d6d2_JaffaCakes118.exe	zao3tdvfvjt.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
PID 1828 wrote to memory of 1384	1828	5f5405cf899443cf16a1a09f73d2d6d2_JaffaCakes118.exe	zao3tdvfvjt.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
PID 1384 wrote to memory of 3504	1384	zao3tdvfvjt.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	svchost.exe
PID 1384 wrote to memory of 3504	1384	zao3tdvfvjt.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	svchost.exe
PID 1384 wrote to memory of 3504	1384	zao3tdvfvjt.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	svchost.exe
PID 1384 wrote to memory of 3504	1384	zao3tdvfvjt.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	svchost.exe
PID 1384 wrote to memory of 4504	1384	zao3tdvfvjt.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	svchost.exe
PID 1384 wrote to memory of 4504	1384	zao3tdvfvjt.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	svchost.exe
PID 1384 wrote to memory of 4504	1384	zao3tdvfvjt.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	svchost.exe
PID 1384 wrote to memory of 4504	1384	zao3tdvfvjt.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5f5405cf899443cf16a1a09f73d2d6d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5f5405cf899443cf16a1a09f73d2d6d2_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Users\Admin\AppData\Local\Temp\zao3tdvfvjt.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
  C:\Users\Admin\AppData\Local\Temp\zao3tdvfvjt.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 480
      4⤵
      Program crash
      PID:2140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 488
      4⤵
      Program crash
      PID:1624
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 968
      4⤵
      Program crash
      PID:3388
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 976
      4⤵
      Program crash
      PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3504 -ip 3504
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4504 -ip 4504
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3504 -ip 3504
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4504 -ip 4504
1⤵
PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zao3tdvfvjt.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

Filesize
33KB

MD5
4bc3ef6c320cdce8d5576cb78fddb12a

SHA1
a45e2ed689bb11274bc72b52a63f4c8d11e569f0

SHA256
dcb94be014ee0b716ea05d127e5efd498e1a84710926198680e6bf2cd3e12c99

SHA512
7939fe2bde6aad75da9c9d5badbdd736082fbfc12960c6e2c1587d0b14e0feb9ab806106168903f17ec2ec55a98c3eb0d58ee6081bc43bcc52eb21d789e9ee84

Download Submit
memory/1384-17-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1384-12-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1828-8-0x00007FFFD6FF0000-0x00007FFFD7991000-memory.dmp

Filesize
9.6MB

Download
memory/1828-2-0x00007FFFD6FF0000-0x00007FFFD7991000-memory.dmp

Filesize
9.6MB

Download
memory/1828-5-0x000000001CA90000-0x000000001CB2C000-memory.dmp

Filesize
624KB

Download
memory/1828-6-0x00000000016E0000-0x00000000016E8000-memory.dmp

Filesize
32KB

Download
memory/1828-7-0x000000001CBA0000-0x000000001CBEC000-memory.dmp

Filesize
304KB

Download
memory/1828-0-0x00007FFFD72A5000-0x00007FFFD72A6000-memory.dmp

Filesize
4KB

Download
memory/1828-3-0x000000001C520000-0x000000001C9EE000-memory.dmp

Filesize
4.8MB

Download
memory/1828-4-0x00007FFFD6FF0000-0x00007FFFD7991000-memory.dmp

Filesize
9.6MB

Download
memory/1828-22-0x00007FFFD6FF0000-0x00007FFFD7991000-memory.dmp

Filesize
9.6MB

Download
memory/1828-1-0x000000001BF30000-0x000000001BFD6000-memory.dmp

Filesize
664KB

Download
memory/3504-14-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3504-25-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4504-15-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4504-18-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4504-23-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4504-28-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads