xtremerat | 356302f99a32f089bf48764621c9cf6e38c08f112b6e82d1b475efaa2192bfc6

General

Target

JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe
Size

872KB
MD5

49903a1f7b3e8018132a6c757f4c75c3
SHA1

0522dd27679f2a6c3c781a26365ecf0d97ea9061
SHA256

356302f99a32f089bf48764621c9cf6e38c08f112b6e82d1b475efaa2192bfc6
SHA512

85a46ce914863bb38712338bcc5892669fe4be54e7fde853dca2222eea854bb59933cbe1716a7ce0c657a9e14fc70fc98e0e5d4acf1db2d0872655ba1b28358e
SSDEEP

6144:U9XRz+saO24Pr7yyrBIErxcYKJZCHbmWaOGRryrBIErxcYKJZCHbmWaOGR+7:U9Xf24DVBIEqYKqHqhO/BIEqYKqHqhO

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

C2

ehec.no-ip.info

Signatures

Detect XtremeRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3992-38-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe

Executes dropped EXE 2 IoCs

pid	Process
2484	taskmgr.exe
3992	61406.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2968 set thread context of 2484	2968	JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe	85

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000023b9d-30.dat	upx
behavioral2/memory/3992-33-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/3992-38-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61406.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2968	JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2484	taskmgr.exe
2484	taskmgr.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2924	2968	JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe	82
PID 2968 wrote to memory of 2924	2968	JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe	82
PID 2968 wrote to memory of 2924	2968	JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe	82
PID 2924 wrote to memory of 4628	2924	csc.exe	84
PID 2924 wrote to memory of 4628	2924	csc.exe	84
PID 2924 wrote to memory of 4628	2924	csc.exe	84
PID 2968 wrote to memory of 2484	2968	JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe	85
PID 2968 wrote to memory of 2484	2968	JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe	85
PID 2968 wrote to memory of 2484	2968	JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe	85
PID 2968 wrote to memory of 2484	2968	JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe	85
PID 2968 wrote to memory of 2484	2968	JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe	85
PID 2968 wrote to memory of 2484	2968	JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe	85
PID 2968 wrote to memory of 2484	2968	JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe	85
PID 2968 wrote to memory of 2484	2968	JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe	85
PID 2968 wrote to memory of 2484	2968	JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe	85
PID 2968 wrote to memory of 3992	2968	JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe	86
PID 2968 wrote to memory of 3992	2968	JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe	86
PID 2968 wrote to memory of 3992	2968	JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe	86
PID 3992 wrote to memory of 3888	3992	61406.exe	87
PID 3992 wrote to memory of 3888	3992	61406.exe	87
PID 3992 wrote to memory of 3888	3992	61406.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_49903a1f7b3e8018132a6c757f4c75c3.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dgwv0xyc.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8175.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8174.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4628
- C:\Users\Admin\AppData\Roaming\taskmgr.exe
  C:\Users\Admin\AppData\Roaming\taskmgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2484
- C:\Users\Admin\AppData\Roaming\61406.exe
  "C:\Users\Admin\AppData\Roaming\61406.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8175.tmp

Filesize
1KB

MD5
4a996694b42836233d9e92f2179dd112

SHA1
8bc42cde0340ec4eb74e4c74ad86812e5e752f11

SHA256
7ba15f0fd23fb6884c9a1373476b32c1c407e259184f4526277da7ff3750310e

SHA512
ee7f3d1b7bd600860323befc650b33eb4c08be0e90148beeb3a511989481b6008e0310b3a93b9ed4765e3527f3bf1039a14c99b18b3f76059325005609e24969

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgwv0xyc.dll

Filesize
5KB

MD5
77da103cdc01a44c833f1dfa63850fc5

SHA1
c48f529461c0c19d905578b55796df1e25f9c55d

SHA256
dc528c742710da588aae9d9acb10507b302280eb61da55b2fd6b536abff83686

SHA512
59428b872556918bda51dbab74bae76165c5aaeae0885d9a46a1e4f1cffcc12ef3686bcba552a287c88cd37b2e4c16de95b96bbac090531e28a7b89567446f34

Download Submit
C:\Users\Admin\AppData\Roaming\61406.exe

Filesize
33KB

MD5
d3136e874b081f6a32ccfde17aeaca84

SHA1
0262e57d4c272243b4ac88f91386ad9e476dfa72

SHA256
4051a0076596628190f927e30dd461e44c3c721dc52c2e058b5b41cfb661f4be

SHA512
7e12fdac66debb1c4ca40d009ddb702ff71afeacfb93d43b37a43c274675a273dbab76a29bf47d2eb0da72412f3f90d1862eb67423abcf9c904ce5b8955060e5

Download Submit
C:\Users\Admin\AppData\Roaming\taskmgr.exe

Filesize
256KB

MD5
2b30aeb9e54cc47c153369c4c955367e

SHA1
80f492a8937b85aa2a56ba513e2686e7f6970dc4

SHA256
dac95b0c8866c7a5ace718fcea5e349e5e065467ea06e98bca16b87449794af7

SHA512
bac8d1fa9305fce1ebc46b53d4ea14ff6b228ccebdd084f273134b95577174e765dde7141cbd0a45d041e40cde36991a90b5eb363a72c6c82d809c9c3a9c0015

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8174.tmp

Filesize
652B

MD5
85c235e61806c2ac3da5e621e2c703c8

SHA1
91d87e992118e9ea890b42ed17582eda18533773

SHA256
5ef62ad1eb8d5f1cf24c92a045accd15ae78629ced590d0db09d82f934dda1de

SHA512
a412fbf5ca3d70f27c714c6f530696992465cd3007977bc407a83ee235ba8fd6feb689bfb272a18871a7e3614ad9f12eec103819a15e6134c5a39b8c46a2e970

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dgwv0xyc.0.cs

Filesize
4KB

MD5
6830431c6b49f72eaca4b2888a0ddaa9

SHA1
502083f68f991bfcfd771a7ba5bd508c2834591c

SHA256
ae57e8973a24563582d571743f0339d9347ffc82ed716d12a994694c2b673bf8

SHA512
939fa8cb2ca518904dea91b9612c53d833b9cf11e393fb376c1b0d00734e52b33708a6302e04bf15cb6a8e745475163766dec5a29ac265c914d0c286a170b35a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dgwv0xyc.cmdline

Filesize
206B

MD5
02f9cedc88a331b4e82d7399040a83fc

SHA1
e71ce09b91e5a892542bb356d3a6de8d3c097cdf

SHA256
69a92694d781012113d2740cc9af739c56b9bc6b741cd3a2c4575df10001aa21

SHA512
1e7b24816375f9b33d581d9e16b931aeacaaf55b33197e7b7887a8f65819927e5f6ff90d4949adc94f57089efdac694066476c88328686ae3782a203ce080ba0

Download Submit
memory/2484-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-51-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-52-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-46-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-26-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-53-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-50-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-42-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-43-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-44-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-45-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2924-16-0x0000000074F70000-0x0000000075521000-memory.dmp

Filesize
5.7MB

Download
memory/2924-11-0x0000000074F70000-0x0000000075521000-memory.dmp

Filesize
5.7MB

Download
memory/2968-36-0x0000000074F70000-0x0000000075521000-memory.dmp

Filesize
5.7MB

Download
memory/2968-0-0x0000000074F72000-0x0000000074F73000-memory.dmp

Filesize
4KB

Download
memory/2968-2-0x0000000074F70000-0x0000000075521000-memory.dmp

Filesize
5.7MB

Download
memory/2968-1-0x0000000074F70000-0x0000000075521000-memory.dmp

Filesize
5.7MB

Download
memory/3992-38-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3992-33-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing