xtremerat | 834c55018e4c59f0873fca2aca61623ebf99c6e2ea7274a3e4d02b7077cbd814

General

Target

JaffaCakes118_418aba758db1af7b905d1e33b8eaa93b.exe
Size

115KB
MD5

418aba758db1af7b905d1e33b8eaa93b
SHA1

6e43044028fde1184f9b349d5b021cf2c8e0c455
SHA256

834c55018e4c59f0873fca2aca61623ebf99c6e2ea7274a3e4d02b7077cbd814
SHA512

07e6ddc74e6c055d4891b3851c9891f6a43f216e0068c958513e694db967078c95fe53bed47e5f6dbda5b25f3b3ee72e316d8d5f43db0a48561db43dd52cb5f9
SSDEEP

1536:75CFBKEWUIr2QTkKFmWW7D6UzjgMEBKEWUIr2uCchqtPlBTviGGOJ:NCrK72RKsD6oSK72jtPGi

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

C2

냠delikralll.dyndns.org

Signatures

Detect XtremeRAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/1248-11-0x0000000010000000-0x000000001004B000-memory.dmp	family_xtremerat
behavioral2/memory/4896-13-0x0000000010000000-0x000000001004B000-memory.dmp	family_xtremerat
behavioral2/memory/1248-14-0x0000000010000000-0x000000001004B000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_418aba758db1af7b905d1e33b8eaa93b.exe

Executes dropped EXE 1 IoCs

pid	Process
4896	Decrypted.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023c91-6.dat	upx
behavioral2/memory/4896-9-0x0000000010000000-0x000000001004B000-memory.dmp	upx
behavioral2/memory/1248-11-0x0000000010000000-0x000000001004B000-memory.dmp	upx
behavioral2/memory/4896-13-0x0000000010000000-0x000000001004B000-memory.dmp	upx
behavioral2/memory/1248-14-0x0000000010000000-0x000000001004B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3660	1248	WerFault.exe	83
3084	1248	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_418aba758db1af7b905d1e33b8eaa93b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Decrypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5052	JaffaCakes118_418aba758db1af7b905d1e33b8eaa93b.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 4896	5052	JaffaCakes118_418aba758db1af7b905d1e33b8eaa93b.exe	82
PID 5052 wrote to memory of 4896	5052	JaffaCakes118_418aba758db1af7b905d1e33b8eaa93b.exe	82
PID 5052 wrote to memory of 4896	5052	JaffaCakes118_418aba758db1af7b905d1e33b8eaa93b.exe	82
PID 4896 wrote to memory of 1248	4896	Decrypted.exe	83
PID 4896 wrote to memory of 1248	4896	Decrypted.exe	83
PID 4896 wrote to memory of 1248	4896	Decrypted.exe	83
PID 4896 wrote to memory of 1248	4896	Decrypted.exe	83
PID 4896 wrote to memory of 4312	4896	Decrypted.exe	84
PID 4896 wrote to memory of 4312	4896	Decrypted.exe	84
PID 4896 wrote to memory of 4312	4896	Decrypted.exe	84

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_418aba758db1af7b905d1e33b8eaa93b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_418aba758db1af7b905d1e33b8eaa93b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Local\Temp\Decrypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Decrypted.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 484
      4⤵
      Program crash
      PID:3660
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 492
      4⤵
      Program crash
      PID:3084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1248 -ip 1248
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1248 -ip 1248
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Decrypted.exe

Filesize
31KB

MD5
323bb7c4c7bfa3190fb61628b6ff4237

SHA1
b4fe9caed968a1c9a262ed9d84b6273507bcfc50

SHA256
8b9c980c11d4ac021dc0306d8cca117b4a1ce03ab19caee1b9e84ef4ad74395b

SHA512
07dbf1449debe11519322c0bc92dbc6d1e09e65d2ef90e2c127a4e6124e40be275803d2a636979ff2ff06d22ed6a4e6e73474cf7e99ce1abbad6166d617d49fd

Download Submit
memory/1248-11-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download
memory/1248-14-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download
memory/4896-9-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download
memory/4896-13-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing