xtremerat | 9ad895c6c959ef97efe53a5ac2b2f1a3c335dffabaf919faf5083b16e10d5450

General

Target

6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe
Size

297KB
MD5

6585a16b111cd1a1d4992050a6207735
SHA1

817cd0f83fd70a49d0c7336175f507cf4b989058
SHA256

9ad895c6c959ef97efe53a5ac2b2f1a3c335dffabaf919faf5083b16e10d5450
SHA512

0fa51be1433d2060ec09748826ac03c230b8b638d661af09266b909533ce147e2a450188ab9a73e332ee20928f94ae8e5f62e7285dbfbb788ba119871f1a1e3c
SSDEEP

6144:nhWxjk0EdatAbulIY24ku3n6DJRMqw6B+HaBZz0mfA:nOjk0gatIMkh51z+

Score

10^/10

xtremerat discovery persistence rat spyware

Malware Config

Extracted

Family

xtremerat

C2

2hask.no-ip.biz

Signatures

Detect XtremeRAT payload 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2172-11-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2172-13-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2172-9-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2172-6-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2172-5-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2172-4-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2172-3-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2172-2-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2172-12-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2784-16-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2172-17-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2784-20-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2784-21-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2784-22-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0N13TR8V-7U4H-WWIK-ALGJ-MC7CT02FHMQ7}	NOTEPAD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0N13TR8V-7U4H-WWIK-ALGJ-MC7CT02FHMQ7}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	NOTEPAD.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NOTEPAD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	NOTEPAD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	NOTEPAD.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe

description	pid	process	target process
PID 2756 set thread context of 2172	2756	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

Processes:

NOTEPAD.EXE

description	ioc	process
File opened for modification	C:\Windows\InstallDir\Server.exe	NOTEPAD.EXE
File created	C:\Windows\InstallDir\Server.exe	NOTEPAD.EXE
File opened for modification	C:\Windows\InstallDir\	NOTEPAD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

NOTEPAD.EXE6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

NOTEPAD.EXE

pid process

2784 NOTEPAD.EXE

pid	process
2784	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    NOTEPAD.EXE
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2172-3-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2172-13-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2172-2-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2172-12-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2172-6-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2172-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2172-5-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2172-4-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2172-11-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2172-17-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2172-9-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2172-1-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2172-0-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2756-10-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2784-16-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2784-20-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2784-21-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2784-22-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download

description	pid	process	target process
PID 2756 wrote to memory of 2172	2756	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe
PID 2756 wrote to memory of 2172	2756	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe
PID 2756 wrote to memory of 2172	2756	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe
PID 2756 wrote to memory of 2172	2756	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe
PID 2756 wrote to memory of 2172	2756	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe
PID 2756 wrote to memory of 2172	2756	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe
PID 2756 wrote to memory of 2172	2756	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe
PID 2756 wrote to memory of 2172	2756	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe
PID 2756 wrote to memory of 2172	2756	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe
PID 2756 wrote to memory of 2172	2756	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe
PID 2756 wrote to memory of 2172	2756	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe
PID 2756 wrote to memory of 2172	2756	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe
PID 2172 wrote to memory of 2784	2172	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe	NOTEPAD.EXE
PID 2172 wrote to memory of 2784	2172	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe	NOTEPAD.EXE
PID 2172 wrote to memory of 2784	2172	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe	NOTEPAD.EXE
PID 2172 wrote to memory of 2784	2172	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe	NOTEPAD.EXE
PID 2172 wrote to memory of 2784	2172	6585a16b111cd1a1d4992050a6207735_JaffaCakes118.exe	NOTEPAD.EXE

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads