xtremerat | 444019851d9dff176ff5a031d0c64eb491b37ae2cd84bf3214474121851f377a

General

Target

a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe
Size

885KB
MD5

a4cddb4d05923df30ff0794d478769b2
SHA1

84d18e438a933601604055eb5aef4b492b9b6b33
SHA256

444019851d9dff176ff5a031d0c64eb491b37ae2cd84bf3214474121851f377a
SHA512

77dce82bcbd69e4aeb88b6bbc65825d021decf95799bee7807d392a46f6a58c1e3e7168e99d38e9c86f32e771ea07ce894ed50165bc68d09f1447b5050f1b914
SSDEEP

24576:C5bfVHXcEjg9244W8N5Gp5KFbjDl75hmV1UMP9n+eh:CVtHX9f4UFHDZ5AVug9n+G

Score

10^/10

xtremerat discovery persistence rat spyware

Malware Config

Extracted

Family

xtremerat

C2

esam2at.no-ip.biz

Signatures

Detect XtremeRAT payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1164-19-0x0000000010000000-0x000000001004C000-memory.dmp	family_xtremerat
behavioral1/memory/1164-22-0x0000000010000000-0x000000001004C000-memory.dmp	family_xtremerat
behavioral1/memory/2092-24-0x0000000000400000-0x0000000000421000-memory.dmp	family_xtremerat
behavioral1/memory/1164-33-0x0000000010000000-0x000000001004C000-memory.dmp	family_xtremerat
behavioral1/memory/1296-48-0x0000000000400000-0x00000000004AC000-memory.dmp	family_xtremerat
behavioral1/memory/2792-44-0x0000000010000000-0x00000000100D9000-memory.dmp	family_xtremerat
behavioral1/memory/2712-51-0x0000000010000000-0x000000001004C000-memory.dmp	family_xtremerat
behavioral1/memory/2792-52-0x0000000010000000-0x00000000100D9000-memory.dmp	family_xtremerat
behavioral1/memory/2740-56-0x0000000010000000-0x00000000100D9000-memory.dmp	family_xtremerat
behavioral1/memory/1164-53-0x0000000010000000-0x000000001004C000-memory.dmp	family_xtremerat
behavioral1/memory/1164-39-0x0000000010000000-0x000000001004C000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat
Executes dropped EXE 5 IoCs

Processes:

test.exetest.exec.exec.exe92file.exe

pid process

2092 test.exe
1164 test.exe
1296 c.exe
2792 c.exe
2716 92file.exe

pid	process
2092	test.exe
1164	test.exe
1296	c.exe
2792	c.exe
2716	92file.exe

Loads dropped DLL 8 IoCs

Processes:

a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exetest.exec.exec.exe

pid	process
2028	a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe
2028	a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe
2092	test.exe
2028	a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe
2028	a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe
1296	c.exe
2792	c.exe
2792	c.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

test.exec.exe

description pid process target process

PID 2092 set thread context of 1164 2092 test.exe test.exe
PID 1296 set thread context of 2792 1296 c.exe c.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2092 set thread context of 1164	2092	test.exe	test.exe
PID 1296 set thread context of 2792	1296	c.exe	c.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exetest.exec.exetest.exesvchost.exec.exesvchost.exe92file.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92file.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exetest.exec.exetest.exec.exe

description	pid	process	target process
PID 2028 wrote to memory of 2092	2028	a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe	test.exe
PID 2028 wrote to memory of 2092	2028	a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe	test.exe
PID 2028 wrote to memory of 2092	2028	a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe	test.exe
PID 2028 wrote to memory of 2092	2028	a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe	test.exe
PID 2092 wrote to memory of 1164	2092	test.exe	test.exe
PID 2092 wrote to memory of 1164	2092	test.exe	test.exe
PID 2092 wrote to memory of 1164	2092	test.exe	test.exe
PID 2092 wrote to memory of 1164	2092	test.exe	test.exe
PID 2092 wrote to memory of 1164	2092	test.exe	test.exe
PID 2092 wrote to memory of 1164	2092	test.exe	test.exe
PID 2028 wrote to memory of 1296	2028	a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe	c.exe
PID 2028 wrote to memory of 1296	2028	a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe	c.exe
PID 2028 wrote to memory of 1296	2028	a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe	c.exe
PID 2028 wrote to memory of 1296	2028	a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe	c.exe
PID 1296 wrote to memory of 2792	1296	c.exe	c.exe
PID 1296 wrote to memory of 2792	1296	c.exe	c.exe
PID 1296 wrote to memory of 2792	1296	c.exe	c.exe
PID 1296 wrote to memory of 2792	1296	c.exe	c.exe
PID 1296 wrote to memory of 2792	1296	c.exe	c.exe
PID 1296 wrote to memory of 2792	1296	c.exe	c.exe
PID 1164 wrote to memory of 2712	1164	test.exe	svchost.exe
PID 1164 wrote to memory of 2712	1164	test.exe	svchost.exe
PID 1164 wrote to memory of 2712	1164	test.exe	svchost.exe
PID 1164 wrote to memory of 2712	1164	test.exe	svchost.exe
PID 1164 wrote to memory of 2712	1164	test.exe	svchost.exe
PID 1164 wrote to memory of 3000	1164	test.exe	iexplore.exe
PID 1164 wrote to memory of 3000	1164	test.exe	iexplore.exe
PID 1164 wrote to memory of 3000	1164	test.exe	iexplore.exe
PID 1164 wrote to memory of 3000	1164	test.exe	iexplore.exe
PID 2792 wrote to memory of 2740	2792	c.exe	svchost.exe
PID 2792 wrote to memory of 2740	2792	c.exe	svchost.exe
PID 2792 wrote to memory of 2740	2792	c.exe	svchost.exe
PID 2792 wrote to memory of 2740	2792	c.exe	svchost.exe
PID 1164 wrote to memory of 3000	1164	test.exe	iexplore.exe
PID 2792 wrote to memory of 2740	2792	c.exe	svchost.exe
PID 2792 wrote to memory of 2956	2792	c.exe	iexplore.exe
PID 2792 wrote to memory of 2956	2792	c.exe	iexplore.exe
PID 2792 wrote to memory of 2956	2792	c.exe	iexplore.exe
PID 2792 wrote to memory of 2956	2792	c.exe	iexplore.exe
PID 2792 wrote to memory of 2956	2792	c.exe	iexplore.exe
PID 2792 wrote to memory of 2716	2792	c.exe	92file.exe
PID 2792 wrote to memory of 2716	2792	c.exe	92file.exe
PID 2792 wrote to memory of 2716	2792	c.exe	92file.exe
PID 2792 wrote to memory of 2716	2792	c.exe	92file.exe

C:\Users\Admin\AppData\Local\Temp\a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a4cddb4d05923df30ff0794d478769b2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\test.exe
  "C:\Users\Admin\AppData\Local\Temp\test.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    "C:\Users\Admin\AppData\Local\Temp\test.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2712
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3000
- C:\Users\Admin\AppData\Local\Temp\c.exe
  "C:\Users\Admin\AppData\Local\Temp\c.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Users\Admin\AppData\Local\Temp\c.exe
    "C:\Users\Admin\AppData\Local\Temp\c.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2740
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\92file.exe
      "C:\Users\Admin\AppData\Local\Temp\92file.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\92file.exe

Filesize
570KB

MD5
ec947f168cb115927be76ab5c96d2579

SHA1
75624f129e2957bf769aced2e8932da4115c1d71

SHA256
eddb8d9143117dc95b3390d0884bd73d729dc4e334c097541baa25ccce28140e

SHA512
501aa21e93e0b9b3b42c49bda992692a7c016520eb7065e406cb2c7ee4e257033e94db13bc4f87263de73ff331517482895cf322f1c28bb593964da942afafba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.exe

Filesize
656KB

MD5
ccbb568cdc64c6c1bcd64017c75dc733

SHA1
2784342892f49a2cdf976ae36045be914ab034cd

SHA256
1c03614b1f39c952b06ee7722223aa687d4b4f5cbde61d251dc5a97ddfbfbdc1

SHA512
3a5852b0c23f1d13c388e3d81ad069a676347ebf81edd8b531d30edd7bad8814ba6813415dd7ab61e21b4cfda2d615e8c0c19c90afda5bcd25ef0437cd3be53d

Download Submit
\Users\Admin\AppData\Local\Temp\test.exe

Filesize
101KB

MD5
76d2a6e12aa765b6956151f1314bc324

SHA1
c1ae87020d101bdc4c1c4632fa9b4e87658d430f

SHA256
cedbecc6ad6efd885c511180a8d365268cedfb957031e868d52fe9de2b5eedda

SHA512
2245b2fd90689163514ca0ff637d07a890cb09b4280891272f6c31e1b95a671c389a8310bb7e0eb5d040cc5f3b547d3f0cb4b2a1c027ac77562f7c585c947ee1

Download Submit
memory/1164-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1164-33-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/1164-18-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/1164-39-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/1164-19-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/1164-22-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/1164-53-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/1296-40-0x0000000001D50000-0x0000000001DFC000-memory.dmp

Filesize
688KB

Download
memory/1296-38-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1296-48-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2028-34-0x0000000000400000-0x00000000004C9E00-memory.dmp

Filesize
807KB

Download
memory/2028-4-0x00000000029B0000-0x00000000029D1000-memory.dmp

Filesize
132KB

Download
memory/2028-27-0x00000000029C0000-0x0000000002A6C000-memory.dmp

Filesize
688KB

Download
memory/2028-0-0x0000000000400000-0x00000000004C9E00-memory.dmp

Filesize
807KB

Download
memory/2092-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2092-24-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2092-15-0x00000000002C0000-0x00000000002E1000-memory.dmp

Filesize
132KB

Download
memory/2712-51-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/2716-67-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2740-56-0x0000000010000000-0x00000000100D9000-memory.dmp

Filesize
868KB

Download
memory/2792-46-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2792-52-0x0000000010000000-0x00000000100D9000-memory.dmp

Filesize
868KB

Download
memory/2792-42-0x0000000010000000-0x00000000100D9000-memory.dmp

Filesize
868KB

Download
memory/2792-44-0x0000000010000000-0x00000000100D9000-memory.dmp

Filesize
868KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads