xtremerat | 1391317a47c89d0565b3a43a8ffeda8bf9a540ce1d9941ddbb5cd42e0ebfe4cb

General

Target

JaffaCakes118_25d2ddbce9d5949b943fe58930507134.exe
Size

92KB
MD5

25d2ddbce9d5949b943fe58930507134
SHA1

c687874a70222d227bb24f814859a47ab12b56e4
SHA256

1391317a47c89d0565b3a43a8ffeda8bf9a540ce1d9941ddbb5cd42e0ebfe4cb
SHA512

711b0a79cc4ab687dc5f475179b8b18ba95a1066c1754bcdf0548171e464ad0ac211a0a9a96628b0043275c70ab57d3f55194dd1b03464204ec033f3c51d75e3
SSDEEP

1536:VKxpv88ouifThnmVfm/mzS64JD+E4qxw882jJpSdQvXQKwvJpL1:GpqSVfBS6S+QxB82adONwvJpB

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/4100-38-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/4100-39-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/2092-49-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat
behavioral2/memory/4100-52-0x0000000000C80000-0x0000000000C95000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{HI0PI403-N7C2-5518-H4V5-ATTB36P5FE8V}	55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{HI0PI403-N7C2-5518-H4V5-ATTB36P5FE8V}\StubPath = "C:\\Windows\\system32\\InstallDir\\opdat.exe restart"	55.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{HI0PI403-N7C2-5518-H4V5-ATTB36P5FE8V}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{HI0PI403-N7C2-5518-H4V5-ATTB36P5FE8V}\StubPath = "C:\\Windows\\system32\\InstallDir\\opdat.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	JaffaCakes118_25d2ddbce9d5949b943fe58930507134.exe

Executes dropped EXE 2 IoCs

pid	Process
1828	55.exe
4100	55.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\opdat.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\opdat.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\opdat.exe"	55.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\opdat.exe"	55.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\InstallDir\opdat.exe	55.exe
File created	C:\Windows\SysWOW64\InstallDir\opdat.exe	55.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1828 set thread context of 4100	1828	55.exe	93

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4100-33-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4100-37-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4100-38-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4100-39-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/2092-49-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx
behavioral2/memory/4100-52-0x0000000000C80000-0x0000000000C95000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2804	1828	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_25d2ddbce9d5949b943fe58930507134.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1828	55.exe
4100	55.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 1828	3476	JaffaCakes118_25d2ddbce9d5949b943fe58930507134.exe	89
PID 3476 wrote to memory of 1828	3476	JaffaCakes118_25d2ddbce9d5949b943fe58930507134.exe	89
PID 3476 wrote to memory of 1828	3476	JaffaCakes118_25d2ddbce9d5949b943fe58930507134.exe	89
PID 1828 wrote to memory of 4100	1828	55.exe	93
PID 1828 wrote to memory of 4100	1828	55.exe	93
PID 1828 wrote to memory of 4100	1828	55.exe	93
PID 1828 wrote to memory of 4100	1828	55.exe	93
PID 1828 wrote to memory of 4100	1828	55.exe	93
PID 1828 wrote to memory of 4100	1828	55.exe	93
PID 1828 wrote to memory of 4100	1828	55.exe	93
PID 1828 wrote to memory of 4100	1828	55.exe	93
PID 4100 wrote to memory of 2092	4100	55.exe	94
PID 4100 wrote to memory of 2092	4100	55.exe	94
PID 4100 wrote to memory of 2092	4100	55.exe	94
PID 4100 wrote to memory of 2092	4100	55.exe	94

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25d2ddbce9d5949b943fe58930507134.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25d2ddbce9d5949b943fe58930507134.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Users\Admin\AppData\Local\Temp\55.exe
  "C:\Users\Admin\AppData\Local\Temp\55.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 472
    3⤵
    - Program crash
    PID:2804
- - C:\Users\Admin\AppData\Local\Temp\55.exe
    C:\Users\Admin\AppData\Local\Temp\55.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1828 -ip 1828
1⤵
PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\55.exe

Filesize
45KB

MD5
d7c7170f6f46e95a10695157088a620f

SHA1
e8d9826b0f60014187dedfa1307c16be28e93fa2

SHA256
2e2f911153571516a6df4fa008e756e6c93f038068e5ec37e91dc9c720b975f8

SHA512
bede756d0425d19d389f6a3ed396a4336d4c491e239eabcd299bbab6b8ac849e2056b90e13b011310ec93ae69c6aea1a6f5c85b86b11175d09e797fed9c4eee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx.ini

Filesize
187B

MD5
bc48041f1457a3639872b4de20a2dac9

SHA1
2fb6d90be5e55bcc8a452a09d12955ac43cdb5b1

SHA256
d7d7f32dca4f383b1f4451e58fe2429df8e56a8d3543e62f4cda8f73f81e749e

SHA512
4fe56f82d899adbb81f618307a67cb0a01d1f3974a5eec33f2e2aa6f0d6256f44491e41fa97637bfa641712fa7d1ddcb174f938c4a90a3043cf28eb18c5905c7

Download Submit
memory/1828-30-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1828-41-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2092-49-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/3476-42-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3476-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/3476-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3476-43-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/4100-37-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4100-39-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4100-38-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4100-36-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4100-33-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/4100-52-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads