xtremerat | 105c8da7c072eb57f09212d67cbf6fe3d63cf12b8a1e4817f385e442750258ba

General

Target

JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe
Size

141KB
MD5

9ed7cf6b6d3eedfa7a6521fe79966ad3
SHA1

7006fedeb6f79c82cd3bb66a24ab4af83c095af8
SHA256

105c8da7c072eb57f09212d67cbf6fe3d63cf12b8a1e4817f385e442750258ba
SHA512

a4faa0bec298ce5993849e5f5071cb297d97ba2720e8affe5a3e761264ece901878792d08020ccab0186636a18aa745524f82598311e44c24725737778e8f918
SSDEEP

3072:DmVZ3bRZW2+dzaw0sMJttlUyFlI+e+ANOdfut8Jj:cRDWB5A80I+NfutIj

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 5 IoCs

resource	yara_rule
behavioral2/memory/4016-9-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/4016-7-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/3156-10-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/4016-11-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/3156-12-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4908 set thread context of 4016	4908	JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe	83

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4016-3-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4016-5-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4016-9-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4016-7-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/3156-10-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4016-11-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/3156-12-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1492	3156	WerFault.exe	85
2884	3156	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4908	JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 4016	4908	JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe	83
PID 4908 wrote to memory of 4016	4908	JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe	83
PID 4908 wrote to memory of 4016	4908	JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe	83
PID 4908 wrote to memory of 4016	4908	JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe	83
PID 4908 wrote to memory of 4016	4908	JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe	83
PID 4908 wrote to memory of 4016	4908	JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe	83
PID 4908 wrote to memory of 4016	4908	JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe	83
PID 4908 wrote to memory of 4016	4908	JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe	83
PID 4016 wrote to memory of 3156	4016	JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe	85
PID 4016 wrote to memory of 3156	4016	JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe	85
PID 4016 wrote to memory of 3156	4016	JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe	85
PID 4016 wrote to memory of 3156	4016	JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe	85
PID 4016 wrote to memory of 1412	4016	JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe	86
PID 4016 wrote to memory of 1412	4016	JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe	86
PID 4016 wrote to memory of 1412	4016	JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ed7cf6b6d3eedfa7a6521fe79966ad3.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3156
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 476
      4⤵
      Program crash
      PID:1492
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 488
      4⤵
      Program crash
      PID:2884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3156 -ip 3156
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3156 -ip 3156
1⤵
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3156-10-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3156-12-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4016-3-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4016-5-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4016-9-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4016-7-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4016-11-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4908-0-0x0000000000400000-0x0000000000440970-memory.dmp

Filesize
258KB

Download
memory/4908-8-0x0000000000400000-0x0000000000440970-memory.dmp

Filesize
258KB

Download

Analysis

Sharing