xtremerat | a04907637a28f64922000f7d00661815713ebaf1a9c0bff2c7171c6597e8953c

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2db639bef2300483e4b2e09fd9b5e6f4.exe
Size

119KB
MD5

2db639bef2300483e4b2e09fd9b5e6f4
SHA1

07b2577b622d27ba144bc900b6252885fca3190d
SHA256

a04907637a28f64922000f7d00661815713ebaf1a9c0bff2c7171c6597e8953c
SHA512

2c513cb2b11bbbb38d15bfd9b27d21d39e821e55070ac7600ae56b6d904014ab7723c8bc1a2e8554a5242f8f0e375492c98ffe3d3218a97a5056df5ca53fe213
SSDEEP

3072:n+NGq8ji8Dw0wBoH7/E4n7Md+723AZxeG:nchdBob/EMQdZqv

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/1252-21-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Executes dropped EXE 1 IoCs

pid	Process
1252	server.exe

Loads dropped DLL 2 IoCs

pid	Process
2516	JaffaCakes118_2db639bef2300483e4b2e09fd9b5e6f4.exe
2516	JaffaCakes118_2db639bef2300483e4b2e09fd9b5e6f4.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000019273-6.dat	upx
behavioral1/memory/1252-15-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1252-21-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2db639bef2300483e4b2e09fd9b5e6f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 1252	2516	JaffaCakes118_2db639bef2300483e4b2e09fd9b5e6f4.exe	30
PID 2516 wrote to memory of 1252	2516	JaffaCakes118_2db639bef2300483e4b2e09fd9b5e6f4.exe	30
PID 2516 wrote to memory of 1252	2516	JaffaCakes118_2db639bef2300483e4b2e09fd9b5e6f4.exe	30
PID 2516 wrote to memory of 1252	2516	JaffaCakes118_2db639bef2300483e4b2e09fd9b5e6f4.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2db639bef2300483e4b2e09fd9b5e6f4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2db639bef2300483e4b2e09fd9b5e6f4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\server.exe

Filesize
21KB

MD5
a03374ecd13c6bd85899e246e458d2f0

SHA1
032976e6fc2eaa92e998ff0e4448e29727490f4b

SHA256
c0342abf3f5225d7e848cb1573d8a3713340b51991f75ddc20e852268a6f4979

SHA512
cb1919673df45fffcb67a5eb0f94bacdc8179dcdd18b99c27232d8a92c4cd8823be0f4a95d45dcd60b3fc948a170a0826d68297eb820197f50144aba2b67114d

Download Submit
memory/1252-15-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1252-21-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2516-0-0x00000000741E1000-0x00000000741E2000-memory.dmp

Filesize
4KB

Download
memory/2516-1-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download
memory/2516-2-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download
memory/2516-3-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download
memory/2516-13-0x0000000005460000-0x0000000005476000-memory.dmp

Filesize
88KB

Download
memory/2516-12-0x0000000005460000-0x0000000005476000-memory.dmp

Filesize
88KB

Download
memory/2516-18-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download
memory/2516-19-0x0000000005460000-0x0000000005476000-memory.dmp

Filesize
88KB

Download
memory/2516-20-0x0000000005460000-0x0000000005476000-memory.dmp

Filesize
88KB

Download