xtremerat | 6b952d6ebb08de5eab2f3ea4c71e7180c3a94c414b3ce9a96a990e72b449b28d

General

Target

b10f39667824d1849ce4a03eb9c080cd_JaffaCakes118.exe
Size

75KB
MD5

b10f39667824d1849ce4a03eb9c080cd
SHA1

c9c976b9da57d242e6083865ccaa54e6dd05f7fb
SHA256

6b952d6ebb08de5eab2f3ea4c71e7180c3a94c414b3ce9a96a990e72b449b28d
SHA512

84141d18910ef9671fa0c43bab870c5f8260e98b82606b19f52a28c86e7e97e2043bbe8c0a07022da3aeb72082ee50946b2d3706beeddc8790b2379c9bcbb3f1
SSDEEP

1536:cj2qkSZZZ3gd4XUZuhgZWVg5gjwp9w0KOIeLrtqZ2:cjYUP4uhgZWV949w5ODHIZ2

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

C2

botak.no-ip.info

Signatures

Detect XtremeRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1208-21-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/3212-23-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/1208-24-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b10f39667824d1849ce4a03eb9c080cd_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	b10f39667824d1849ce4a03eb9c080cd_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

Crypted.exe

pid	Process
3212	Crypted.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000b000000023b7b-14.dat	upx
behavioral2/memory/3212-17-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1208-21-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/3212-23-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1208-24-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
3308	1208	WerFault.exe	84
1928	1208	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Crypted.exesvchost.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

b10f39667824d1849ce4a03eb9c080cd_JaffaCakes118.exeCrypted.exe

description	pid	Process	procid_target
PID 4332 wrote to memory of 3212	4332	b10f39667824d1849ce4a03eb9c080cd_JaffaCakes118.exe	83
PID 4332 wrote to memory of 3212	4332	b10f39667824d1849ce4a03eb9c080cd_JaffaCakes118.exe	83
PID 4332 wrote to memory of 3212	4332	b10f39667824d1849ce4a03eb9c080cd_JaffaCakes118.exe	83
PID 3212 wrote to memory of 1208	3212	Crypted.exe	84
PID 3212 wrote to memory of 1208	3212	Crypted.exe	84
PID 3212 wrote to memory of 1208	3212	Crypted.exe	84
PID 3212 wrote to memory of 1208	3212	Crypted.exe	84
PID 3212 wrote to memory of 1968	3212	Crypted.exe	85
PID 3212 wrote to memory of 1968	3212	Crypted.exe	85
PID 3212 wrote to memory of 1968	3212	Crypted.exe	85

C:\Users\Admin\AppData\Local\Temp\b10f39667824d1849ce4a03eb9c080cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b10f39667824d1849ce4a03eb9c080cd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Users\Admin\AppData\Local\Temp\Crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 480
      4⤵
      Program crash
      PID:3308
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 500
      4⤵
      Program crash
      PID:1928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1208 -ip 1208
1⤵
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1208 -ip 1208
1⤵
PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
33KB

MD5
3707c298c99b776e2a92853bc1261f69

SHA1
d8980775871f279b2ce7e3e9898de016af8d6898

SHA256
a5a583570914f7654d572aa35687f9330fb2f56941d1589443f5b3fe37ef3294

SHA512
a0d8d3d47fcc954b86f50bb0050f3d8c04b0e142f8fddcf80bfe8691e78cab96a91d5d4d946bfdbc70aeac138e9eecb55c8abc26bacc0549d965c506dd0049ae

Download Submit
memory/1208-24-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1208-21-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3212-23-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3212-17-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4332-10-0x00007FFCC83A0000-0x00007FFCC8D41000-memory.dmp

Filesize
9.6MB

Download
memory/4332-6-0x0000000001910000-0x0000000001918000-memory.dmp

Filesize
32KB

Download
memory/4332-7-0x000000001CBE0000-0x000000001CC2C000-memory.dmp

Filesize
304KB

Download
memory/4332-0-0x00007FFCC8655000-0x00007FFCC8656000-memory.dmp

Filesize
4KB

Download
memory/4332-9-0x00007FFCC83A0000-0x00007FFCC8D41000-memory.dmp

Filesize
9.6MB

Download
memory/4332-5-0x00007FFCC83A0000-0x00007FFCC8D41000-memory.dmp

Filesize
9.6MB

Download
memory/4332-4-0x000000001C100000-0x000000001C19C000-memory.dmp

Filesize
624KB

Download
memory/4332-20-0x00007FFCC83A0000-0x00007FFCC8D41000-memory.dmp

Filesize
9.6MB

Download
memory/4332-3-0x000000001C680000-0x000000001CB4E000-memory.dmp

Filesize
4.8MB

Download
memory/4332-2-0x00007FFCC83A0000-0x00007FFCC8D41000-memory.dmp

Filesize
9.6MB

Download
memory/4332-1-0x000000001BFB0000-0x000000001C056000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads