xtremerat | 00a32d7711e2ab033ef0ce78f07546d03ed2617fa7d351fc1feb3588ad67d53f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7d647e36362b646d5c64e233763472ec.exe
Size

180KB
MD5

7d647e36362b646d5c64e233763472ec
SHA1

59b6ef9d613d05165c78ccc92b7ea5b1a5736326
SHA256

00a32d7711e2ab033ef0ce78f07546d03ed2617fa7d351fc1feb3588ad67d53f
SHA512

de4686bcec2b8468c9317a7daa7c9cc822f938160daf016d5cf9e42cf8e273371c999bf1f65923015865057d73a8f10ac70022f6672086bd2d666059e7f5ea7e
SSDEEP

3072:gdew+yMRNdew+yMRdZ/9EWr+hSDtsvxz8WAay2u4KXqfT:rsFKthSDtexz8WAay2Eq

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 7 IoCs

resource	yara_rule
behavioral2/memory/4632-30-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/1392-31-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/4648-33-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/812-34-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/4768-38-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/3824-39-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/4648-41-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\winupd.exe restart"	server2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\winupd.exe restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\winupd.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\winupd.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7d647e36362b646d5c64e233763472ec.exe

Executes dropped EXE 2 IoCs

pid	Process
4768	server.exe
3824	server2.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winupd.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winupd.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winupd.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winupd.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winupd.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winupd.exe"	server2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winupd.exe"	server2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winupd.exe"	server.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023c35-7.dat	upx
behavioral2/memory/4768-16-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4632-30-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/1392-31-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4648-33-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/812-34-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4768-38-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/3824-39-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4648-41-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\winupd.exe	server2.exe
File created	C:\Windows\InstallDir\winupd.exe	server2.exe
File opened for modification	C:\Windows\InstallDir\winupd.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7d647e36362b646d5c64e233763472ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4648	svchost.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 4768	624	JaffaCakes118_7d647e36362b646d5c64e233763472ec.exe	86
PID 624 wrote to memory of 4768	624	JaffaCakes118_7d647e36362b646d5c64e233763472ec.exe	86
PID 624 wrote to memory of 4768	624	JaffaCakes118_7d647e36362b646d5c64e233763472ec.exe	86
PID 624 wrote to memory of 3824	624	JaffaCakes118_7d647e36362b646d5c64e233763472ec.exe	87
PID 624 wrote to memory of 3824	624	JaffaCakes118_7d647e36362b646d5c64e233763472ec.exe	87
PID 624 wrote to memory of 3824	624	JaffaCakes118_7d647e36362b646d5c64e233763472ec.exe	87
PID 3824 wrote to memory of 1392	3824	server2.exe	88
PID 3824 wrote to memory of 1392	3824	server2.exe	88
PID 3824 wrote to memory of 1392	3824	server2.exe	88
PID 4768 wrote to memory of 4632	4768	server.exe	89
PID 4768 wrote to memory of 4632	4768	server.exe	89
PID 4768 wrote to memory of 4632	4768	server.exe	89
PID 4768 wrote to memory of 4632	4768	server.exe	89
PID 3824 wrote to memory of 1392	3824	server2.exe	88
PID 4768 wrote to memory of 812	4768	server.exe	90
PID 4768 wrote to memory of 812	4768	server.exe	90
PID 4768 wrote to memory of 812	4768	server.exe	90
PID 3824 wrote to memory of 4648	3824	server2.exe	91
PID 3824 wrote to memory of 4648	3824	server2.exe	91
PID 3824 wrote to memory of 4648	3824	server2.exe	91
PID 4768 wrote to memory of 3964	4768	server.exe	93
PID 4768 wrote to memory of 3964	4768	server.exe	93
PID 4768 wrote to memory of 3964	4768	server.exe	93
PID 3824 wrote to memory of 4060	3824	server2.exe	92
PID 3824 wrote to memory of 4060	3824	server2.exe	92
PID 3824 wrote to memory of 4060	3824	server2.exe	92
PID 3824 wrote to memory of 4648	3824	server2.exe	91
PID 4768 wrote to memory of 812	4768	server.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d647e36362b646d5c64e233763472ec.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d647e36362b646d5c64e233763472ec.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4632
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:812
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3964
- C:\Users\Admin\AppData\Local\Temp\server2.exe
  "C:\Users\Admin\AppData\Local\Temp\server2.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1392
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4648
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
19KB

MD5
1d1c725998efa82980c3e30879b1316a

SHA1
fe3fb5c8af57495776a91de66652b0c343ac9648

SHA256
75b0fbd4d6bc1f546dbf2a9be7d4652e0667594fac99bfd11ae9678d53f0d093

SHA512
efb6a5718f0a75a5b10d7313021305c0af835640bd65ff8c7f581c7e1684175064a5818d45e9a921ed754af2f7d5b4dd99119a629bcd52235c2372309bd5f6a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3x%BEl.cfg

Filesize
1KB

MD5
f4617b4f3d7a5da6be7b49e0504ca941

SHA1
a63a7e9a5a11b94698f77960b5a0d68c396fef17

SHA256
d833458ab4e9c5b38ac0e43b14aa53b17634922d7a7aa84d57608c6d5233ff3d

SHA512
29a2d9d17e4220b273217a5cbb9a6b99a9d848b2d305faa4146742dc70b4a441abe0ef340a73864359a6dcb5afb5a1bbd6013421208ad8ddcda48214335172bb

Download Submit
memory/624-2-0x0000000074AE0000-0x0000000075091000-memory.dmp

Filesize
5.7MB

Download
memory/624-1-0x0000000074AE0000-0x0000000075091000-memory.dmp

Filesize
5.7MB

Download
memory/624-21-0x0000000074AE0000-0x0000000075091000-memory.dmp

Filesize
5.7MB

Download
memory/624-0-0x0000000074AE2000-0x0000000074AE3000-memory.dmp

Filesize
4KB

Download
memory/812-34-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/1392-31-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3824-39-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4632-30-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4648-33-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4648-41-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4768-16-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4768-38-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads