xtremerat | 3f6cdddacc5ad8f48bf9afdf228cd7058500f653cbf3466f66e9fca02222d5cc

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
10-02-2025 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe
Size

683KB
MD5

deeb2500038e367d8a4baa0ba5b6cdc3
SHA1

6850d425a44bbb770800e1e167daad441a4d229b
SHA256

3f6cdddacc5ad8f48bf9afdf228cd7058500f653cbf3466f66e9fca02222d5cc
SHA512

ce69c9b00dd0c77e950466addc1fa17ce65645b099c486e2aa354c5b503b889d5016bacefb4d7d57af725d39e50d0928cbf396f95f989b57808dc1bcd6fed85f
SSDEEP

12288:Mutrzh9xOXki5l1V2SrwDE8b09uDdLqCNQruBLiqawOLB2fm4Yi5Zpi+ZmLbyMvq:Mutr5OUi5l1V26uA9e8CN0KLiveYuZpX

Score

10^/10

xtremerat discovery persistence rat spyware

Malware Config

Extracted

Family

xtremerat

baseeem.no-ip.biz

Signatures

Detect XtremeRAT payload 5 IoCs

resource	yara_rule
behavioral2/memory/4292-36-0x0000000010000000-0x0000000010045000-memory.dmp	family_xtremerat
behavioral2/memory/4292-38-0x0000000010000000-0x0000000010045000-memory.dmp	family_xtremerat
behavioral2/memory/4292-40-0x0000000010000000-0x0000000010045000-memory.dmp	family_xtremerat
behavioral2/memory/3532-43-0x0000000010000000-0x0000000010045000-memory.dmp	family_xtremerat
behavioral2/memory/3532-44-0x0000000010000000-0x0000000010045000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
11	4576	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation	JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe

Executes dropped EXE 3 IoCs

pid	Process
2716	2.exe
1836	2.exe
4292	2.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 1836	2716	2.exe	88
PID 2716 set thread context of 4292	2716	2.exe	91

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\__tmp_rar_sfx_access_check_240616171	JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe
File created	C:\Windows\2.exe	JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe
File opened for modification	C:\Windows\2.exe	JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5036	3532	WerFault.exe	92
3244	3532	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
100	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1836	2.exe
1836	2.exe
1836	2.exe
1836	2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2716	2.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2716	2476	JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe	86
PID 2476 wrote to memory of 2716	2476	JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe	86
PID 2476 wrote to memory of 2716	2476	JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe	86
PID 2716 wrote to memory of 1836	2716	2.exe	88
PID 2716 wrote to memory of 1836	2716	2.exe	88
PID 2716 wrote to memory of 1836	2716	2.exe	88
PID 2716 wrote to memory of 1836	2716	2.exe	88
PID 2716 wrote to memory of 1836	2716	2.exe	88
PID 2716 wrote to memory of 1836	2716	2.exe	88
PID 2716 wrote to memory of 1836	2716	2.exe	88
PID 1836 wrote to memory of 3500	1836	2.exe	56
PID 1836 wrote to memory of 3500	1836	2.exe	56
PID 1836 wrote to memory of 3500	1836	2.exe	56
PID 1836 wrote to memory of 3500	1836	2.exe	56
PID 2716 wrote to memory of 4292	2716	2.exe	91
PID 2716 wrote to memory of 4292	2716	2.exe	91
PID 2716 wrote to memory of 4292	2716	2.exe	91
PID 2716 wrote to memory of 4292	2716	2.exe	91
PID 2716 wrote to memory of 4292	2716	2.exe	91
PID 2716 wrote to memory of 4292	2716	2.exe	91
PID 2716 wrote to memory of 4292	2716	2.exe	91
PID 2716 wrote to memory of 4292	2716	2.exe	91
PID 2716 wrote to memory of 4292	2716	2.exe	91
PID 2716 wrote to memory of 4292	2716	2.exe	91
PID 2716 wrote to memory of 4292	2716	2.exe	91
PID 2716 wrote to memory of 4292	2716	2.exe	91
PID 2716 wrote to memory of 4292	2716	2.exe	91
PID 4292 wrote to memory of 3532	4292	2.exe	92
PID 4292 wrote to memory of 3532	4292	2.exe	92
PID 4292 wrote to memory of 3532	4292	2.exe	92
PID 4292 wrote to memory of 3532	4292	2.exe	92
PID 4292 wrote to memory of 2084	4292	2.exe	93
PID 4292 wrote to memory of 2084	4292	2.exe	93
PID 4292 wrote to memory of 2084	4292	2.exe	93

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3500
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_deeb2500038e367d8a4baa0ba5b6cdc3.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\WINDOWS\2.exe
    "C:\WINDOWS\2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\WINDOWS\2.exe
      "C:\WINDOWS\2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1836
  - - C:\WINDOWS\2.exe
      "C:\WINDOWS\2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4292
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3532
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 484
        6⤵
        Program crash
        
        PID:5036
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 492
        6⤵
        Program crash
        
        PID:3244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3532 -ip 3532
1⤵
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3532 -ip 3532
1⤵
PID:2356

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0JCOTdCRUItRkVFRC00RDc1LUE0OEYtREE3NENGNUY0MkQ5fSIgdXNlcmlkPSJ7QTZFQTNEMDctOEEwRi00MTE2LUE4NzUtOTA2N0Q0RURBRjk4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTY2RjI1MEEtMDk0RS00M0ExLThDNTItRkYwMDJBMDdDOUEwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU1NzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODAxNjUyMzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODQ4NTY2MzQzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\2.exe

Filesize
1.2MB

MD5
f6fa82dffba7032efe5cdf2e336785df

SHA1
426a766ebc0302c9411eae1003afef2d1c8d609b

SHA256
6d7c604815b26bf577577eb0e9f3dc04591b06199817a3bf4b5100f22a11ed2c

SHA512
aefae1242be62114c7b0561954c7318511e8b6ab133e48b04cdfe406b09caaba0458e02cf51ef277aef864ef84257eeb9d0d9ff69e1e5559d16b42773520a396

Download Submit
memory/1836-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1836-34-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1836-23-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1836-29-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/2716-28-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2716-12-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/2716-22-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2716-15-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2716-18-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2716-27-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2716-19-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2716-17-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2716-13-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2716-16-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2716-41-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/3500-30-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3500-31-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/3532-43-0x0000000010000000-0x0000000010045000-memory.dmp

Filesize
276KB

Download
memory/3532-44-0x0000000010000000-0x0000000010045000-memory.dmp

Filesize
276KB

Download
memory/4292-36-0x0000000010000000-0x0000000010045000-memory.dmp

Filesize
276KB

Download
memory/4292-38-0x0000000010000000-0x0000000010045000-memory.dmp

Filesize
276KB

Download
memory/4292-40-0x0000000010000000-0x0000000010045000-memory.dmp

Filesize
276KB

Download
memory/4292-42-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download