xtremerat | 358a05a1b545dc2cf95b0c5081247f9fe2fce6f065b04d83d339fb71a748b22f

General

Target

8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe
Size

240KB
MD5

8bd8e4415921120e5381a8d0d6e97099
SHA1

8b9f58ac057c05db335f8d19818de827e0fb3b8c
SHA256

358a05a1b545dc2cf95b0c5081247f9fe2fce6f065b04d83d339fb71a748b22f
SHA512

ffd7289d23c12721ba2ca0a3ee2a790fd9308fb4be38ec09f5ce79c9ddbefb6e2d6b8850efb517b6d745d592fe509e56652a0a3db9654ff294ffc424ff3b28f8
SSDEEP

3072:aVnUJ8T2SXZyrgoBJtbN/3MCK2kevEwl/6GJHSp90uPrR5whRF0yXR3FeGABXurM:aVD/JdSI5ebm90mrRiP1eGANuTEU7ZWz

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4028-26-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4384-28-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4028-30-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

thehack.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	thehack.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	thehack.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

thehack.exezhack.exe

pid process

4384 thehack.exe
3376 zhack.exe

pid	process
4384	thehack.exe
3376	zhack.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

thehack.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	thehack.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	thehack.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\thehack.exe	upx
behavioral2/memory/4384-18-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4028-26-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4384-28-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4028-30-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

Processes:

thehack.exe

description ioc process

File opened for modification C:\Windows\InstallDir\Server.exe thehack.exe
File created C:\Windows\InstallDir\Server.exe thehack.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\InstallDir\Server.exe	thehack.exe
File created	C:\Windows\InstallDir\Server.exe	thehack.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

zhack.execmd.exePING.EXEsvchost.exe8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exethehack.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zhack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	thehack.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

2172 cmd.exe
2224 PING.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2224 PING.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

4028 svchost.exe

pid	process
2172	cmd.exe
2224	PING.EXE

pid	process
2224	PING.EXE

pid	process
4028	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exethehack.execmd.exe

description	pid	process	target process
PID 3052 wrote to memory of 4384	3052	8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe	thehack.exe
PID 3052 wrote to memory of 4384	3052	8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe	thehack.exe
PID 3052 wrote to memory of 4384	3052	8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe	thehack.exe
PID 3052 wrote to memory of 3376	3052	8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe	zhack.exe
PID 3052 wrote to memory of 3376	3052	8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe	zhack.exe
PID 3052 wrote to memory of 3376	3052	8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe	zhack.exe
PID 3052 wrote to memory of 2172	3052	8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe	cmd.exe
PID 3052 wrote to memory of 2172	3052	8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe	cmd.exe
PID 3052 wrote to memory of 2172	3052	8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe	cmd.exe
PID 4384 wrote to memory of 4028	4384	thehack.exe	svchost.exe
PID 4384 wrote to memory of 4028	4384	thehack.exe	svchost.exe
PID 4384 wrote to memory of 4028	4384	thehack.exe	svchost.exe
PID 2172 wrote to memory of 2224	2172	cmd.exe	PING.EXE
PID 2172 wrote to memory of 2224	2172	cmd.exe	PING.EXE
PID 2172 wrote to memory of 2224	2172	cmd.exe	PING.EXE
PID 4384 wrote to memory of 4028	4384	thehack.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\thehack.exe
  "C:\Users\Admin\AppData\Local\Temp\thehack.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4028
- C:\Users\Admin\AppData\Local\Temp\zhack.exe
  "C:\Users\Admin\AppData\Local\Temp\zhack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3376
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 & copy /Y "C:\Users\Admin\AppData\Local\Temp\zhack.exe" "C:\Users\Admin\AppData\Local\Temp\8bd8e4415921120e5381a8d0d6e97099_JaffaCakes118.exe" >> NUL
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\thehack.exe

Filesize
21KB

MD5
cdd786a7b2c69149de85a3d76b8a36e9

SHA1
ee3af6788721d58544b86c504f3b6d72d0b3bff0

SHA256
5321b74f9735983982d6ad5f33abfb62511348318bee012b8adf5fa27d977452

SHA512
6b6d7d18cb053e6fd6b948245b7efce1f3aa943f3578701086204ded8377d38f23b48609e5ff3625b752c5783bab8424d3b5af82ad1a2fac13ec942e65be4491

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhack.exe

Filesize
174KB

MD5
3a89bc20a2381179c7777a2ba3f8b2ca

SHA1
7f4bef007e0f35d575c7f876cc3e6531a4fe41a9

SHA256
83768a88bbfa03d0aca58ae92f7a1c8f59837185dafe2f8d2cbf4a0f179dc3e1

SHA512
5304484946212ad02cb9d6cb8ff2e07deffecba46622e877dfafe8c5e3e0ef2223d5c9e603a208830186e079dff6e3c246f4932f3cc3f74bdcf24cf6d90ab12b

Download Submit
memory/3376-21-0x0000000000400000-0x000000000044A62C-memory.dmp

Filesize
297KB

Download
memory/3376-33-0x0000000000400000-0x000000000044A62C-memory.dmp

Filesize
297KB

Download
memory/4028-26-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4028-30-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4384-18-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4384-28-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads