xtremerat | c8d0d7d13a57e0f8a2bbe0edd5f18260154e0b69d82d5c92ff2cbba41cf369ac

General

Target

eebfa09c116e21d5d74c3828c4450f94_JaffaCakes118.exe
Size

158KB
MD5

eebfa09c116e21d5d74c3828c4450f94
SHA1

5aece7b3fa05059798e512f5b632e77af237d54b
SHA256

c8d0d7d13a57e0f8a2bbe0edd5f18260154e0b69d82d5c92ff2cbba41cf369ac
SHA512

601a4607f8de8aefa61754f75ae77e59b00f0d7281f651cbc725a64554dd0fdf4df8d449f4f0c1383658b43db1e15cda78e00d0e4baffc4093ad1375da77d32a
SSDEEP

3072:b1dlKwgj23+Oz05YoNozjXXLEsvDABOJUJsObFp6gEI:b1dlZro5yjXNNJUJL5QgEI

Score

10^/10

xtremerat discovery persistence rat spyware

Malware Config

Extracted

Family

xtremerat

C2

0profx.no-ip.info

Signatures

Detect XtremeRAT payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016b86-55.dat	family_xtremerat
behavioral1/memory/236-69-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1096-73-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2292-74-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1096-76-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4G42875Y-47T5-2IB3-7F1I-N1804BOB3NUP}	speedup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4G42875Y-47T5-2IB3-7F1I-N1804BOB3NUP}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	speedup.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4G42875Y-47T5-2IB3-7F1I-N1804BOB3NUP}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4G42875Y-47T5-2IB3-7F1I-N1804BOB3NUP}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
2944	x.exe
2544	kh.exe
2292	speedup.exe

Loads dropped DLL 6 IoCs

pid	Process
2640	eebfa09c116e21d5d74c3828c4450f94_JaffaCakes118.exe
2640	eebfa09c116e21d5d74c3828c4450f94_JaffaCakes118.exe
2944	x.exe
2944	x.exe
2944	x.exe
2944	x.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	speedup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	speedup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\http:\www.mediafire.com\?zz1nkyimuiw è	eebfa09c116e21d5d74c3828c4450f94_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\x.exe	eebfa09c116e21d5d74c3828c4450f94_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\ÊQb’´ˆ o†P‹•'ÂÎæ´ò†k´c8=#¹J;‡G"I³”t?Å¸GtÖ«éq°YªIèPJæ©å jŠÿ@yÃ bÓ	eebfa09c116e21d5d74c3828c4450f94_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\speedup.exe	x.exe
File opened for modification	C:\WINDOWS\SysWOW64\sÐB•kVNGúìEÛ,–;»ä SÀupéøAÃÈ¿ƒ«Úüi´·ÊG9¥ÚbÑÍi³ÓìC!ôqçGW¸ªëáºÇJƒ7Ë&6ä™ÙqMÐ;W]XV.ÓüÏqqAd¯Ð½Ì}%Û¦þ=ÉpN,çÝ<{‡k¬£o'B‹u¿Ÿáøå’Nº0åÊ‰R=xk}˜™:a»míž„†‹÷6¬úªç«¹äáHÚspû²\J•ÀÄEÚËZ¡¦÷{Sü²	x.exe
File created	C:\WINDOWS\SysWOW64\kh.exe	x.exe
File opened for modification	C:\WINDOWS\SysWOW64\ÿuÐÿ–¡	x.exe
File created	C:\WINDOWS\SysWOW64\download monsters.txt	eebfa09c116e21d5d74c3828c4450f94_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\InstallDir\Server.exe	speedup.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	speedup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eebfa09c116e21d5d74c3828c4450f94_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	speedup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1096	svchost.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2944	2640	eebfa09c116e21d5d74c3828c4450f94_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2944	2640	eebfa09c116e21d5d74c3828c4450f94_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2944	2640	eebfa09c116e21d5d74c3828c4450f94_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2944	2640	eebfa09c116e21d5d74c3828c4450f94_JaffaCakes118.exe	30
PID 2944 wrote to memory of 2544	2944	x.exe	31
PID 2944 wrote to memory of 2544	2944	x.exe	31
PID 2944 wrote to memory of 2544	2944	x.exe	31
PID 2944 wrote to memory of 2544	2944	x.exe	31
PID 2944 wrote to memory of 2292	2944	x.exe	32
PID 2944 wrote to memory of 2292	2944	x.exe	32
PID 2944 wrote to memory of 2292	2944	x.exe	32
PID 2944 wrote to memory of 2292	2944	x.exe	32
PID 2640 wrote to memory of 2444	2640	eebfa09c116e21d5d74c3828c4450f94_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2444	2640	eebfa09c116e21d5d74c3828c4450f94_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2444	2640	eebfa09c116e21d5d74c3828c4450f94_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2444	2640	eebfa09c116e21d5d74c3828c4450f94_JaffaCakes118.exe	33
PID 2292 wrote to memory of 236	2292	speedup.exe	34
PID 2292 wrote to memory of 236	2292	speedup.exe	34
PID 2292 wrote to memory of 236	2292	speedup.exe	34
PID 2292 wrote to memory of 236	2292	speedup.exe	34
PID 2292 wrote to memory of 236	2292	speedup.exe	34
PID 2292 wrote to memory of 1096	2292	speedup.exe	35
PID 2292 wrote to memory of 1096	2292	speedup.exe	35
PID 2292 wrote to memory of 1096	2292	speedup.exe	35
PID 2292 wrote to memory of 1096	2292	speedup.exe	35
PID 2292 wrote to memory of 1096	2292	speedup.exe	35

C:\Users\Admin\AppData\Local\Temp\eebfa09c116e21d5d74c3828c4450f94_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eebfa09c116e21d5d74c3828c4450f94_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\WINDOWS\SysWOW64\x.exe
  "C:\WINDOWS\system32\x.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\WINDOWS\SysWOW64\kh.exe
    "C:\WINDOWS\system32\kh.exe"
    3⤵
    - Executes dropped EXE
    PID:2544
- - C:\Windows\SysWOW64\speedup.exe
    "C:\Windows\System32\speedup.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:236
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1096
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\download monsters.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sfx.ini

Filesize
215B

MD5
d6c77b95a7512deb1d2b1fe7a67ea60a

SHA1
1c52fc5a941e5fc6a2e0d446dbd2bffa6926bf90

SHA256
b6fb51ea974b7508804197f471a19a68dd5fa61274cb3707f7299420ad1a1269

SHA512
0035b79f75acd105ab70398a4bda0d56672f0cdcf3dafb0075af8e9394355889b10f95df23caffea1c8dce14eaa3d5ebb8c5cac32cbf3fc2b251285498f52d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx.ini

Filesize
224B

MD5
f61bcd04ccef3564b10cbac736e27e8e

SHA1
19260cf4f210a30982de4eaec8ac898770a8b16a

SHA256
2133957a9fea95cddb6ad119b5f7fcfd441e59eececff2bff668197aa42ce7bb

SHA512
d003c4414b9571f7139a40aa1a7fa1194c60c917763e4494da145cf4dceb8864be7b2d762070ac5b0f86dbfac59d690fbd3c9863c8da4a3a1da30512f133b86e

Download Submit
C:\Windows\SysWOW64\download monsters.txt

Filesize
37B

MD5
7b0d18f2a0f3c805dc5b3e9ee76d12e9

SHA1
f8de011b6d444130b1f937ff9c7c725f1aa6b8ec

SHA256
cca46a8b080f6c526668c9be19f636d1b4a8e32677b46f7f6a47d9b16af61a2c

SHA512
e44a16a5a39a373cdfd24e17156cff6299592ade1fe815a9dc9dc301409ffee170fdbd9256762b2253b60f4af377d268ecd79ad76f24a605cf611f745dd2daa7

Download Submit
C:\Windows\SysWOW64\kh.exe

Filesize
9KB

MD5
f2fdc7ab781145e7a7692d1d259c487d

SHA1
00b9fca4a40f92069060eac8b23025c8d39d2429

SHA256
856874b9ce2c266d82c50a93e3464d3f921ebab635c6e0538d6703b03caa4460

SHA512
1af9f21bc88914e8a1702e7b822770a90a8c1c8b870c5d037006f55728518173833bd486d6e081a90baf883e2344897519a687e132f899a65bb3427f5b7f7d80

Download Submit
\Windows\SysWOW64\speedup.exe

Filesize
44KB

MD5
802e3d144eab1f448f10d2f36e392eaa

SHA1
b9a0241497812e6011155375b91978d3c1e359da

SHA256
867588b70c9437d2664fad19306b099009f550ab892f84520f7ea58c1c950707

SHA512
17123823315bfa3a92c03acf69cd6d25c55fe4c39ffb429a60c0b6d2ee994a91f4cc109ab5612721f8ba1001c7ad4981208cffb08c834f4975b4b6da9dafc4d3

Download Submit
\Windows\SysWOW64\x.exe

Filesize
121KB

MD5
82d1575943e84005042b375cf916c597

SHA1
ee73f950fcca9229433f0d920a47406c323e4340

SHA256
2985a22cf20655b7d517c5aed5a6d7d691aa0086183154399d66e384af086b3b

SHA512
d3b698cf1c29f701e95e98a57bb9227bbb652bcae9126f65f9c197d3537d09fa76905dd668f3a1a09e9b419d2276b03c6620fb8f941a067a0fd4de4165eded08

Download Submit
memory/236-69-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/236-67-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1096-73-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1096-76-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2292-74-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads