xtremerat | 2abc906f7f08fb8a8d9eb9bdba17fc99a4c914dee6b24680175703c38d2e4a5f

General

Target

8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe
Size

1.1MB
MD5

8eb2020f1d3c549da4b6076341fa032f
SHA1

9ead9c8b3fce65bd6ea30da4a401fac8425e8d0b
SHA256

2abc906f7f08fb8a8d9eb9bdba17fc99a4c914dee6b24680175703c38d2e4a5f
SHA512

71b61a111fb825e91c236ff7c4d654631fa142f68ebbc86560d1f70ebd141cc3b39af8316dd5fe0a436d1205c6b7040e97a44512c5601429883f9fa8f5eb1a22
SSDEEP

24576:CaHMv6CorjqnyC8rMtBYp/MPHcOMgvf+QeS6v:C1vqjdC8rMtSVMvcOkQgv

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

C2

nerozhack.ddns.com.br

alonedevil.no-ip.org

gameszero.dyndns.org

Signatures

Detect XtremeRAT payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1228-35-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/2788-36-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/1492-37-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/1492-39-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/1492-40-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/2788-42-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Drops file in Drivers directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\System.exe	taskmgr.exe
File created	C:\Windows\system32\drivers\etc\System.exe	taskmgr.exe

Executes dropped EXE 3 IoCs

Processes:

app.exeapp.exeapp.exe

pid process

932 app.exe
3876 app.exe
1228 app.exe

pid	process
932	app.exe
3876	app.exe
1228	app.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

taskmgr.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdaterStartupUtility = "C:\\Windows\\system32\\drivers\\etc\\System.exe"	taskmgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PlusServices = "C:\\Windows\\system32\\drivers\\etc\\System.exe"	taskmgr.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4604-0-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral2/memory/932-25-0x0000000000400000-0x00000000004C4000-memory.dmp	autoit_exe

Drops file in System32 directory 3 IoCs

Processes:

8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exeapp.exe

description	ioc	process
File created	C:\Windows\SysWOW64\app.exe	8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\app.exe	8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\app.exe	app.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

app.exeapp.exe

description pid process target process

PID 932 set thread context of 3876 932 app.exe app.exe
PID 3876 set thread context of 1228 3876 app.exe app.exe

description	pid	process	target process
PID 932 set thread context of 3876	932	app.exe	app.exe
PID 3876 set thread context of 1228	3876	app.exe	app.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1228-29-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1228-34-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1228-35-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/2788-36-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1492-37-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1492-39-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1492-40-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/2788-42-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

Processes:

app.exe

description	ioc	process
File created	C:\Windows\SFBqMIUDMPeRYJaXntohQLbXLsu	app.exe
File opened for modification	C:\Windows\SFBqMIUDMPeRYJaXntohQLbXLsu	app.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

816 2788 WerFault.exe svchost.exe
4492 1492 WerFault.exe taskmgr.exe
2976 2788 WerFault.exe svchost.exe

pid	pid_target	process	target process
816	2788	WerFault.exe	svchost.exe
4492	1492	WerFault.exe	taskmgr.exe
2976	2788	WerFault.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exeapp.exeapp.exeapp.exesvchost.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe

pid	process
4604	8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe
4604	8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe
4604	8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe

pid	process
4604	8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe
4604	8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe
4604	8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

app.exetaskmgr.exe

pid process

3876 app.exe
1492 taskmgr.exe

pid	process
3876	app.exe
1492	taskmgr.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exeapp.exeapp.exeapp.exe

description	pid	process	target process
PID 4604 wrote to memory of 932	4604	8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe	app.exe
PID 4604 wrote to memory of 932	4604	8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe	app.exe
PID 4604 wrote to memory of 932	4604	8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe	app.exe
PID 932 wrote to memory of 3876	932	app.exe	app.exe
PID 932 wrote to memory of 3876	932	app.exe	app.exe
PID 932 wrote to memory of 3876	932	app.exe	app.exe
PID 932 wrote to memory of 3876	932	app.exe	app.exe
PID 932 wrote to memory of 3876	932	app.exe	app.exe
PID 932 wrote to memory of 3876	932	app.exe	app.exe
PID 932 wrote to memory of 3876	932	app.exe	app.exe
PID 932 wrote to memory of 3876	932	app.exe	app.exe
PID 932 wrote to memory of 3876	932	app.exe	app.exe
PID 932 wrote to memory of 3876	932	app.exe	app.exe
PID 3876 wrote to memory of 1228	3876	app.exe	app.exe
PID 3876 wrote to memory of 1228	3876	app.exe	app.exe
PID 3876 wrote to memory of 1228	3876	app.exe	app.exe
PID 3876 wrote to memory of 1228	3876	app.exe	app.exe
PID 3876 wrote to memory of 1228	3876	app.exe	app.exe
PID 3876 wrote to memory of 1228	3876	app.exe	app.exe
PID 3876 wrote to memory of 1228	3876	app.exe	app.exe
PID 3876 wrote to memory of 1228	3876	app.exe	app.exe
PID 1228 wrote to memory of 2788	1228	app.exe	svchost.exe
PID 1228 wrote to memory of 2788	1228	app.exe	svchost.exe
PID 1228 wrote to memory of 2788	1228	app.exe	svchost.exe
PID 1228 wrote to memory of 2788	1228	app.exe	svchost.exe
PID 1228 wrote to memory of 1492	1228	app.exe	taskmgr.exe
PID 1228 wrote to memory of 1492	1228	app.exe	taskmgr.exe
PID 1228 wrote to memory of 1492	1228	app.exe	taskmgr.exe
PID 1228 wrote to memory of 1492	1228	app.exe	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8eb2020f1d3c549da4b6076341fa032f_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\SysWOW64\app.exe
  C:\Windows\SysWOW64\app.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\app.exe
    "C:\Windows\SysWOW64\app.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3876
  - - C:\Windows\SysWOW64\app.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1228
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 480
        6⤵
        Program crash
        
        PID:816
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 488
        6⤵
        Program crash
        
        PID:2976
    - - C:\WINDOWS\SysWOW64\taskmgr.exe
        
        C:\WINDOWS\system32\taskmgr.exe
        5⤵
        Drops file in Drivers directory
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1492
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1076
        6⤵
        Program crash
        
        PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2788 -ip 2788
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1492 -ip 1492
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2788 -ip 2788
1⤵
PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut784D.tmp

Filesize
510KB

MD5
900ba50b614a0853060bf4c40f572806

SHA1
699241a25f5674f460c89b1f578bd31e384bef53

SHA256
f78d8dbf2b0e5b6ce2ac7ebb0a2ff86927a22af4e5a477a651f727dfbfd7f0de

SHA512
7a32fca0e46b09e38b0ba39bada68fa866e9ca8f4ceb587ee44d98a9f76dda5c3795f42f138b350bd287cfbb07ebf0cf93d1dc8b0e7f6273d989f072f6a73ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut7927.tmp

Filesize
156KB

MD5
afb564741c2e34501330398ff8bc217c

SHA1
6c44e87dd2b7259ee91e707fa3c2ec2845d8888c

SHA256
e9d0e5d900336b8548b435597324be10553d8c2b17294ad3fe1581809408447a

SHA512
2f554bc2e2c14ea5ed36c4dc73f88046b1484f29ded2fae9ac5084902df0e0601b5f2274c93aaaea8862e209200804f36fae4b58bbb92ec048a478d90d620746

Download Submit
memory/932-11-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/932-25-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1228-29-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1228-35-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1228-34-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1492-37-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1492-39-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1492-40-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2788-36-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2788-42-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3876-26-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3876-33-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3876-20-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4604-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads