xtremerat | 834c55018e4c59f0873fca2aca61623ebf99c6e2ea7274a3e4d02b7077cbd814

General

Target

JaffaCakes118_418aba758db1af7b905d1e33b8eaa93b.exe
Size

115KB
MD5

418aba758db1af7b905d1e33b8eaa93b
SHA1

6e43044028fde1184f9b349d5b021cf2c8e0c455
SHA256

834c55018e4c59f0873fca2aca61623ebf99c6e2ea7274a3e4d02b7077cbd814
SHA512

07e6ddc74e6c055d4891b3851c9891f6a43f216e0068c958513e694db967078c95fe53bed47e5f6dbda5b25f3b3ee72e316d8d5f43db0a48561db43dd52cb5f9
SSDEEP

1536:75CFBKEWUIr2QTkKFmWW7D6UzjgMEBKEWUIr2uCchqtPlBTviGGOJ:NCrK72RKsD6oSK72jtPGi

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

C2

냠delikralll.dyndns.org

Signatures

Detect XtremeRAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/1968-16-0x0000000010000000-0x000000001004B000-memory.dmp	family_xtremerat
behavioral1/memory/2528-17-0x0000000010000000-0x000000001004B000-memory.dmp	family_xtremerat
behavioral1/memory/1968-18-0x0000000010000000-0x000000001004B000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Executes dropped EXE 1 IoCs

pid	Process
2528	Decrypted.exe

Loads dropped DLL 2 IoCs

pid	Process
2372	JaffaCakes118_418aba758db1af7b905d1e33b8eaa93b.exe
2372	JaffaCakes118_418aba758db1af7b905d1e33b8eaa93b.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a00000001225f-4.dat	upx
behavioral1/memory/2528-13-0x0000000010000000-0x000000001004B000-memory.dmp	upx
behavioral1/memory/1968-16-0x0000000010000000-0x000000001004B000-memory.dmp	upx
behavioral1/memory/2528-17-0x0000000010000000-0x000000001004B000-memory.dmp	upx
behavioral1/memory/1968-18-0x0000000010000000-0x000000001004B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_418aba758db1af7b905d1e33b8eaa93b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Decrypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2372	JaffaCakes118_418aba758db1af7b905d1e33b8eaa93b.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2528	2372	JaffaCakes118_418aba758db1af7b905d1e33b8eaa93b.exe	30
PID 2372 wrote to memory of 2528	2372	JaffaCakes118_418aba758db1af7b905d1e33b8eaa93b.exe	30
PID 2372 wrote to memory of 2528	2372	JaffaCakes118_418aba758db1af7b905d1e33b8eaa93b.exe	30
PID 2372 wrote to memory of 2528	2372	JaffaCakes118_418aba758db1af7b905d1e33b8eaa93b.exe	30
PID 2528 wrote to memory of 1968	2528	Decrypted.exe	31
PID 2528 wrote to memory of 1968	2528	Decrypted.exe	31
PID 2528 wrote to memory of 1968	2528	Decrypted.exe	31
PID 2528 wrote to memory of 1968	2528	Decrypted.exe	31
PID 2528 wrote to memory of 1968	2528	Decrypted.exe	31
PID 2528 wrote to memory of 2556	2528	Decrypted.exe	32
PID 2528 wrote to memory of 2556	2528	Decrypted.exe	32
PID 2528 wrote to memory of 2556	2528	Decrypted.exe	32
PID 2528 wrote to memory of 2556	2528	Decrypted.exe	32
PID 2528 wrote to memory of 2556	2528	Decrypted.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_418aba758db1af7b905d1e33b8eaa93b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_418aba758db1af7b905d1e33b8eaa93b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\Decrypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Decrypted.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1968
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Decrypted.exe

Filesize
31KB

MD5
323bb7c4c7bfa3190fb61628b6ff4237

SHA1
b4fe9caed968a1c9a262ed9d84b6273507bcfc50

SHA256
8b9c980c11d4ac021dc0306d8cca117b4a1ce03ab19caee1b9e84ef4ad74395b

SHA512
07dbf1449debe11519322c0bc92dbc6d1e09e65d2ef90e2c127a4e6124e40be275803d2a636979ff2ff06d22ed6a4e6e73474cf7e99ce1abbad6166d617d49fd

Download Submit
memory/1968-16-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download
memory/1968-18-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download
memory/2372-11-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download
memory/2372-10-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download
memory/2528-13-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download
memory/2528-17-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing