xtremerat | 3f6cdddacc5ad8f48bf9afdf228cd7058500f653cbf3466f66e9fca02222d5cc

Analysis

max time kernel
149s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-02-2025 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe
Size

683KB
MD5

deeb2500038e367d8a4baa0ba5b6cdc3
SHA1

6850d425a44bbb770800e1e167daad441a4d229b
SHA256

3f6cdddacc5ad8f48bf9afdf228cd7058500f653cbf3466f66e9fca02222d5cc
SHA512

ce69c9b00dd0c77e950466addc1fa17ce65645b099c486e2aa354c5b503b889d5016bacefb4d7d57af725d39e50d0928cbf396f95f989b57808dc1bcd6fed85f
SSDEEP

12288:Mutrzh9xOXki5l1V2SrwDE8b09uDdLqCNQruBLiqawOLB2fm4Yi5Zpi+ZmLbyMvq:Mutr5OUi5l1V26uA9e8CN0KLiveYuZpX

Score

10^/10

xtremerat discovery persistence rat spyware

Malware Config

Extracted

Family

xtremerat

baseeem.no-ip.biz

Signatures

Detect XtremeRAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/3048-40-0x0000000010000000-0x0000000010045000-memory.dmp	family_xtremerat
behavioral1/memory/3048-43-0x0000000010000000-0x0000000010045000-memory.dmp	family_xtremerat
behavioral1/memory/3048-42-0x0000000010000000-0x0000000010045000-memory.dmp	family_xtremerat
behavioral1/memory/2800-49-0x0000000010000000-0x0000000010045000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Executes dropped EXE 3 IoCs

pid	Process
1508	2.exe
2908	2.exe
3048	2.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1508 set thread context of 2908	1508	2.exe	30
PID 1508 set thread context of 3048	1508	2.exe	31

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\2.exe	JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe
File opened for modification	C:\Windows\2.exe	JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_259546148	JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2908	2.exe
2908	2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1508	2.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1508	1996	JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe	29
PID 1996 wrote to memory of 1508	1996	JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe	29
PID 1996 wrote to memory of 1508	1996	JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe	29
PID 1996 wrote to memory of 1508	1996	JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe	29
PID 1996 wrote to memory of 1508	1996	JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe	29
PID 1996 wrote to memory of 1508	1996	JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe	29
PID 1996 wrote to memory of 1508	1996	JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe	29
PID 1508 wrote to memory of 2908	1508	2.exe	30
PID 1508 wrote to memory of 2908	1508	2.exe	30
PID 1508 wrote to memory of 2908	1508	2.exe	30
PID 1508 wrote to memory of 2908	1508	2.exe	30
PID 1508 wrote to memory of 2908	1508	2.exe	30
PID 1508 wrote to memory of 2908	1508	2.exe	30
PID 1508 wrote to memory of 2908	1508	2.exe	30
PID 1508 wrote to memory of 2908	1508	2.exe	30
PID 2908 wrote to memory of 1244	2908	2.exe	20
PID 2908 wrote to memory of 1244	2908	2.exe	20
PID 2908 wrote to memory of 1244	2908	2.exe	20
PID 2908 wrote to memory of 1244	2908	2.exe	20
PID 1508 wrote to memory of 3048	1508	2.exe	31
PID 1508 wrote to memory of 3048	1508	2.exe	31
PID 1508 wrote to memory of 3048	1508	2.exe	31
PID 1508 wrote to memory of 3048	1508	2.exe	31
PID 1508 wrote to memory of 3048	1508	2.exe	31
PID 1508 wrote to memory of 3048	1508	2.exe	31
PID 1508 wrote to memory of 3048	1508	2.exe	31
PID 1508 wrote to memory of 3048	1508	2.exe	31
PID 1508 wrote to memory of 3048	1508	2.exe	31
PID 1508 wrote to memory of 3048	1508	2.exe	31
PID 1508 wrote to memory of 3048	1508	2.exe	31
PID 1508 wrote to memory of 3048	1508	2.exe	31
PID 1508 wrote to memory of 3048	1508	2.exe	31
PID 1508 wrote to memory of 3048	1508	2.exe	31
PID 3048 wrote to memory of 2800	3048	2.exe	32
PID 3048 wrote to memory of 2800	3048	2.exe	32
PID 3048 wrote to memory of 2800	3048	2.exe	32
PID 3048 wrote to memory of 2800	3048	2.exe	32
PID 3048 wrote to memory of 2800	3048	2.exe	32
PID 3048 wrote to memory of 2712	3048	2.exe	33
PID 3048 wrote to memory of 2712	3048	2.exe	33
PID 3048 wrote to memory of 2712	3048	2.exe	33
PID 3048 wrote to memory of 2712	3048	2.exe	33
PID 3048 wrote to memory of 2712	3048	2.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\WINDOWS\2.exe
    "C:\WINDOWS\2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\WINDOWS\2.exe
      "C:\WINDOWS\2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2908
  - - C:\WINDOWS\2.exe
      "C:\WINDOWS\2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\2.exe

Filesize
1.2MB

MD5
f6fa82dffba7032efe5cdf2e336785df

SHA1
426a766ebc0302c9411eae1003afef2d1c8d609b

SHA256
6d7c604815b26bf577577eb0e9f3dc04591b06199817a3bf4b5100f22a11ed2c

SHA512
aefae1242be62114c7b0561954c7318511e8b6ab133e48b04cdfe406b09caaba0458e02cf51ef277aef864ef84257eeb9d0d9ff69e1e5559d16b42773520a396

Download Submit
memory/1244-27-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1244-24-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1508-10-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/1508-38-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/1508-11-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/1508-14-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/1508-17-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/1508-45-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/1508-39-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/1508-13-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/1508-9-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/1508-12-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2800-49-0x0000000010000000-0x0000000010045000-memory.dmp

Filesize
276KB

Download
memory/2800-47-0x0000000010000000-0x0000000010045000-memory.dmp

Filesize
276KB

Download
memory/2908-36-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2908-23-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/2908-22-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2908-21-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/2908-18-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3048-40-0x0000000010000000-0x0000000010045000-memory.dmp

Filesize
276KB

Download
memory/3048-43-0x0000000010000000-0x0000000010045000-memory.dmp

Filesize
276KB

Download
memory/3048-42-0x0000000010000000-0x0000000010045000-memory.dmp

Filesize
276KB

Download
memory/3048-44-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download