xtremerat | c70510202c462ace65b2ebd8a8f6a18bd4ce1837c8969b0cca5f4e15da91234b

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe
Size

492KB
MD5

b2c466baa06ed734c900ebb204443bab
SHA1

5e4fc6b1987be9ed5c415422323c258430aab4cb
SHA256

c70510202c462ace65b2ebd8a8f6a18bd4ce1837c8969b0cca5f4e15da91234b
SHA512

614013c91fe4e0a6d7ffb979bb1df8f6a9b5bda948ca3f272729153331f7cda57bb17181371811b9d2838c197d82dc11b65a919078d9ce0916e33637a84931ee
SSDEEP

12288:jUeogh3M90xFJGJ1F2g5IR/hv5QfUEv5vQ/NTkcGetZj7Flpp0w+7/FDryK+fv3H:jTsF2g5IR/hv5QfUEv5vQ/NTkcGetZj9

Score

10^/10

xtremerat discovery persistence rat spyware

Malware Config

Signatures

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	SCFile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SCFile.exe restart"	SCFile.exe

Executes dropped EXE 2 IoCs

pid	Process
1404	SCFile.exe
3020	WerFault.exe

Loads dropped DLL 7 IoCs

pid	Process
620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe
620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SCFile.exe"	SCFile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SCFile.exe"	SCFile.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 620 set thread context of 1404	620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe	30

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\Server.exe	SCFile.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCFile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WerFault.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe
Token: SeDebugPrivilege	3020	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 1404	620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe	30
PID 620 wrote to memory of 1404	620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe	30
PID 620 wrote to memory of 1404	620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe	30
PID 620 wrote to memory of 1404	620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe	30
PID 620 wrote to memory of 1404	620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe	30
PID 620 wrote to memory of 1404	620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe	30
PID 620 wrote to memory of 1404	620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe	30
PID 620 wrote to memory of 1404	620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe	30
PID 620 wrote to memory of 1404	620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe	30
PID 620 wrote to memory of 1404	620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe	30
PID 620 wrote to memory of 1404	620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe	30
PID 620 wrote to memory of 1404	620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe	30
PID 620 wrote to memory of 1404	620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe	30
PID 620 wrote to memory of 1404	620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe	30
PID 620 wrote to memory of 3020	620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe	31
PID 620 wrote to memory of 3020	620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe	31
PID 620 wrote to memory of 3020	620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe	31
PID 620 wrote to memory of 3020	620	b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe	31
PID 1404 wrote to memory of 3184	1404	SCFile.exe	32
PID 1404 wrote to memory of 3184	1404	SCFile.exe	32
PID 1404 wrote to memory of 3184	1404	SCFile.exe	32
PID 1404 wrote to memory of 3184	1404	SCFile.exe	32
PID 1404 wrote to memory of 3184	1404	SCFile.exe	32
PID 1404 wrote to memory of 3588	1404	SCFile.exe	33
PID 1404 wrote to memory of 3588	1404	SCFile.exe	33
PID 1404 wrote to memory of 3588	1404	SCFile.exe	33
PID 1404 wrote to memory of 3588	1404	SCFile.exe	33
PID 1404 wrote to memory of 3588	1404	SCFile.exe	33
PID 1404 wrote to memory of 3636	1404	SCFile.exe	34
PID 1404 wrote to memory of 3636	1404	SCFile.exe	34
PID 1404 wrote to memory of 3636	1404	SCFile.exe	34
PID 1404 wrote to memory of 3636	1404	SCFile.exe	34
PID 1404 wrote to memory of 3636	1404	SCFile.exe	34
PID 1404 wrote to memory of 3644	1404	SCFile.exe	35
PID 1404 wrote to memory of 3644	1404	SCFile.exe	35
PID 1404 wrote to memory of 3644	1404	SCFile.exe	35
PID 1404 wrote to memory of 3644	1404	SCFile.exe	35
PID 1404 wrote to memory of 3644	1404	SCFile.exe	35
PID 1404 wrote to memory of 3652	1404	SCFile.exe	36
PID 1404 wrote to memory of 3652	1404	SCFile.exe	36
PID 1404 wrote to memory of 3652	1404	SCFile.exe	36
PID 1404 wrote to memory of 3652	1404	SCFile.exe	36
PID 1404 wrote to memory of 3652	1404	SCFile.exe	36
PID 1404 wrote to memory of 3660	1404	SCFile.exe	37
PID 1404 wrote to memory of 3660	1404	SCFile.exe	37
PID 1404 wrote to memory of 3660	1404	SCFile.exe	37
PID 1404 wrote to memory of 3660	1404	SCFile.exe	37
PID 1404 wrote to memory of 3660	1404	SCFile.exe	37
PID 1404 wrote to memory of 3668	1404	SCFile.exe	38
PID 1404 wrote to memory of 3668	1404	SCFile.exe	38
PID 1404 wrote to memory of 3668	1404	SCFile.exe	38
PID 1404 wrote to memory of 3668	1404	SCFile.exe	38
PID 1404 wrote to memory of 3668	1404	SCFile.exe	38
PID 1404 wrote to memory of 3676	1404	SCFile.exe	39
PID 1404 wrote to memory of 3676	1404	SCFile.exe	39
PID 1404 wrote to memory of 3676	1404	SCFile.exe	39
PID 1404 wrote to memory of 3676	1404	SCFile.exe	39

C:\Users\Admin\AppData\Local\Temp\b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b2c466baa06ed734c900ebb204443bab_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:620
- C:\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\SCFile.exe_v661FC3F6\TheApp\STUBEXE\@APPDATALOCAL@\Temp\SCFile.exe
  "C:\Users\Admin\AppData\Local\Temp\SCFile.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3184
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3588
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3636
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3644
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3652
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3660
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3668
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3676
- C:\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\SCFile.exe_v661FC3F6\Native\STUBEXE\@WINDIR@\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 252
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\SCFile.exe_v661FC3F6\Native\STUBEXE\@WINDIR@\SysWOW64\WerFault.exe

Filesize
16KB

MD5
1890529b95eb49cfeb30bcaed7c1c527

SHA1
d7c82eae2702b093704e625183e15119ca6ffdc0

SHA256
14b7a5f83b4d533f8c6573f7bea121493bf7ea58edf77b49fb072216871ebe1b

SHA512
eadfcce2420e38fe4c2e0b39374a573185fe359e6af16aaf5e622724dfadf98a8393545f79540ce98415b769e990d1e259477c650ecd5855e789d3fb188ee839

Download Submit
\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\SCFile.exe_v661FC3F6\TheApp\MODIFIED\@APPDATALOCAL@\Temp\SCFile.exe

Filesize
96KB

MD5
f747394af5c7fe28317c425462a901f0

SHA1
e50044e535c14000799a5a992591bd04d6a9df03

SHA256
d1d3b31fb4bb174969f9de69e4010c27d69514bba265dfa8dfcb9b7e00ebe4d5

SHA512
6f2a2f962b5534d484fe47a357fd7b266a6852e33de6176696d5c8086a15a800821c6ccdb5d1da19be254d020be0029ef097278529ccfbf065b54d26644ae88e

Download Submit
\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\SCFile.exe_v661FC3F6\TheApp\STUBEXE\@APPDATALOCAL@\Temp\SCFile.exe

Filesize
16KB

MD5
f9fbd01132e0019adfd4f5c7cc89c46d

SHA1
463a71c9634d5ef84f322202c54fb403bb674620

SHA256
19adc3f5be56ff6bb47fcfa0dda8ea463a316736e2431b6d208e4c36c252d2a7

SHA512
de12f2f127d59e64433fd970aee95a181a79b813e8c016f48dfe1d62bac0264871c4bbde2adb9f7c7a9c029639ba533a353276c132a555428c746a15f803b82c

Download Submit
memory/620-25-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-544-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-55-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-53-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-51-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-49-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-47-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-45-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-23-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-41-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-39-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-37-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-35-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-33-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-31-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-29-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-27-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-59-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-43-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-57-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-9-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-17-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-15-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-13-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-11-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-19-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-7-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-5-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-3-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-1-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-0-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-250-0x0000000077C40000-0x0000000077C41000-memory.dmp

Filesize
4KB

Download
memory/620-249-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-248-0x0000000000400000-0x00000000009642D8-memory.dmp

Filesize
5.4MB

Download
memory/620-61-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-63-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-21-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/620-545-0x0000000000400000-0x00000000009642D8-memory.dmp

Filesize
5.4MB

Download