xtremerat | 640302e527419c0cf4e19e698a8e83697fe874d9753b9182d8e8b5f54cde5ab6

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17/03/2025, 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe
Size

5.0MB
MD5

7cb31a3ec7995574c848738ad108616c
SHA1

70faa7380f5722353a8c4be397aa40ec40297459
SHA256

640302e527419c0cf4e19e698a8e83697fe874d9753b9182d8e8b5f54cde5ab6
SHA512

6439fb7378330534cb0cea41c902396cc559d3127766731d468c32ae2d932885a7d370372b3b51899d24a63d5e72f6ce627b4f0766f2f3e5834d00bf847d9747
SSDEEP

98304:yJRo3d0hXVq9dri/msSa6WYiJ97m4am1p5jS9cmByE1lwd5KOHnlWY0:zd03qHImsQWYiz73aWjS9co3fqKOHlH0

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

ak474.zapto.org

Signatures

Detect XtremeRAT payload 6 IoCs

resource	yara_rule
behavioral1/memory/2620-39-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2620-41-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2604-45-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2664-48-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2664-52-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/2664-51-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6M0PIV6Y-7Y60-V41P-CM3L-UL0O2O57BJ52}	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6M0PIV6Y-7Y60-V41P-CM3L-UL0O2O57BJ52}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	notepad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6M0PIV6Y-7Y60-V41P-CM3L-UL0O2O57BJ52}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6M0PIV6Y-7Y60-V41P-CM3L-UL0O2O57BJ52}\StubPath = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2808	Panorama_Corrector.exe
2940	Dog.exe
2912	Panorama_Corrector.tmp
2620	Dog.exe

Loads dropped DLL 7 IoCs

pid	Process
2256	JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe
2256	JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe
2256	JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe
2808	Panorama_Corrector.exe
2940	Dog.exe
2912	Panorama_Corrector.tmp
2912	Panorama_Corrector.tmp

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	notepad.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	Panorama_Corrector.tmp
File opened (read-only)	\??\G:	Panorama_Corrector.tmp
File opened (read-only)	\??\J:	Panorama_Corrector.tmp
File opened (read-only)	\??\P:	Panorama_Corrector.tmp
File opened (read-only)	\??\Q:	Panorama_Corrector.tmp
File opened (read-only)	\??\R:	Panorama_Corrector.tmp
File opened (read-only)	\??\S:	Panorama_Corrector.tmp
File opened (read-only)	\??\T:	Panorama_Corrector.tmp
File opened (read-only)	\??\E:	Panorama_Corrector.tmp
File opened (read-only)	\??\I:	Panorama_Corrector.tmp
File opened (read-only)	\??\L:	Panorama_Corrector.tmp
File opened (read-only)	\??\O:	Panorama_Corrector.tmp
File opened (read-only)	\??\V:	Panorama_Corrector.tmp
File opened (read-only)	\??\W:	Panorama_Corrector.tmp
File opened (read-only)	\??\X:	Panorama_Corrector.tmp
File opened (read-only)	\??\Z:	Panorama_Corrector.tmp
File opened (read-only)	\??\A:	Panorama_Corrector.tmp
File opened (read-only)	\??\K:	Panorama_Corrector.tmp
File opened (read-only)	\??\M:	Panorama_Corrector.tmp
File opened (read-only)	\??\Y:	Panorama_Corrector.tmp
File opened (read-only)	\??\H:	Panorama_Corrector.tmp
File opened (read-only)	\??\N:	Panorama_Corrector.tmp
File opened (read-only)	\??\U:	Panorama_Corrector.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2940 set thread context of 2620	2940	Dog.exe	33

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2256-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2256-25-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\Server.exe	notepad.exe
File created	C:\Windows\InstallDir\Server.exe	notepad.exe
File opened for modification	C:\Windows\InstallDir\	notepad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panorama_Corrector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panorama_Corrector.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2940	Dog.exe
2664	notepad.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2808	2256	JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe	30
PID 2256 wrote to memory of 2808	2256	JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe	30
PID 2256 wrote to memory of 2808	2256	JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe	30
PID 2256 wrote to memory of 2808	2256	JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe	30
PID 2256 wrote to memory of 2808	2256	JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe	30
PID 2256 wrote to memory of 2808	2256	JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe	30
PID 2256 wrote to memory of 2808	2256	JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe	30
PID 2256 wrote to memory of 2940	2256	JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe	31
PID 2256 wrote to memory of 2940	2256	JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe	31
PID 2256 wrote to memory of 2940	2256	JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe	31
PID 2256 wrote to memory of 2940	2256	JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe	31
PID 2808 wrote to memory of 2912	2808	Panorama_Corrector.exe	32
PID 2808 wrote to memory of 2912	2808	Panorama_Corrector.exe	32
PID 2808 wrote to memory of 2912	2808	Panorama_Corrector.exe	32
PID 2808 wrote to memory of 2912	2808	Panorama_Corrector.exe	32
PID 2808 wrote to memory of 2912	2808	Panorama_Corrector.exe	32
PID 2808 wrote to memory of 2912	2808	Panorama_Corrector.exe	32
PID 2808 wrote to memory of 2912	2808	Panorama_Corrector.exe	32
PID 2940 wrote to memory of 2620	2940	Dog.exe	33
PID 2940 wrote to memory of 2620	2940	Dog.exe	33
PID 2940 wrote to memory of 2620	2940	Dog.exe	33
PID 2940 wrote to memory of 2620	2940	Dog.exe	33
PID 2940 wrote to memory of 2620	2940	Dog.exe	33
PID 2940 wrote to memory of 2620	2940	Dog.exe	33
PID 2940 wrote to memory of 2620	2940	Dog.exe	33
PID 2940 wrote to memory of 2620	2940	Dog.exe	33
PID 2940 wrote to memory of 2620	2940	Dog.exe	33
PID 2940 wrote to memory of 2620	2940	Dog.exe	33
PID 2940 wrote to memory of 2620	2940	Dog.exe	33
PID 2940 wrote to memory of 2620	2940	Dog.exe	33
PID 2940 wrote to memory of 2620	2940	Dog.exe	33
PID 2940 wrote to memory of 2620	2940	Dog.exe	33
PID 2620 wrote to memory of 2604	2620	Dog.exe	34
PID 2620 wrote to memory of 2604	2620	Dog.exe	34
PID 2620 wrote to memory of 2604	2620	Dog.exe	34
PID 2620 wrote to memory of 2604	2620	Dog.exe	34
PID 2620 wrote to memory of 2604	2620	Dog.exe	34
PID 2620 wrote to memory of 2664	2620	Dog.exe	35
PID 2620 wrote to memory of 2664	2620	Dog.exe	35
PID 2620 wrote to memory of 2664	2620	Dog.exe	35
PID 2620 wrote to memory of 2664	2620	Dog.exe	35
PID 2620 wrote to memory of 2664	2620	Dog.exe	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7cb31a3ec7995574c848738ad108616c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\Panorama_Corrector.exe
  "C:\Users\Admin\AppData\Local\Temp\Panorama_Corrector.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\is-DEO2G.tmp\Panorama_Corrector.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-DEO2G.tmp\Panorama_Corrector.tmp" /SL5="$3018C,4832331,141824,C:\Users\Admin\AppData\Local\Temp\Panorama_Corrector.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:2912
- C:\Users\Admin\AppData\Local\Temp\Dog.exe
  "C:\Users\Admin\AppData\Local\Temp\Dog.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\Dog.exe
    C:\Users\Admin\AppData\Local\Temp\Dog.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2604
  - - C:\Windows\SysWOW64\notepad.exe
      notepad.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dog.exe

Filesize
121KB

MD5
8bfaf58c21c74ac73df6387709debd06

SHA1
08d050d619b60ec3586dc74358b15993c55e36d3

SHA256
00dfa59e87f30d4efa8986a4b217d4ef8309a57366aff1c4f4064f5d8f222e95

SHA512
661b7709bdbeb5ac4e067faaae7513ae2ad87ce83914547923b0fc23f4d333cbd2d55f58a3720a16d9c95284a4eed985447d58a34bd6a00fae760edf46ec4756

Download Submit
\Users\Admin\AppData\Local\Temp\Panorama_Corrector.exe

Filesize
5.0MB

MD5
1fc2828885558e6f26d83200a492b1c1

SHA1
63286efa86ac14a948ded8d4516878ae3af5757a

SHA256
627b830466eb837dd5c4fb3d53d3dcd21fe329420f1b9e22e0c14844c834db6f

SHA512
dab28f90efdbb26818cd1244582e023520a2e69c63824f59b247bd7f42498c229f90fafcb088bfa57fc8946121495fb99fe7278d67f73167a0dd035b5cb5db54

Download Submit
\Users\Admin\AppData\Local\Temp\is-DEO2G.tmp\Panorama_Corrector.tmp

Filesize
1.1MB

MD5
2e30da9c21c0847dd7135895d6388d46

SHA1
3435b0964bd238022819733ea7f049b3b215df3e

SHA256
0002f4046ef35e169fa79e2abf0b92212c1438487819dd8318301991ff99acac

SHA512
d7dabdbeaab41eddfb045d55c4752485fe231373dd8e45af26add7a238e928fd7905ae3ee9a2df34f484eabe4d8b7bcda775ef12822993b1850a3daa58f06aae

Download Submit
\Users\Admin\AppData\Local\Temp\is-UHLBA.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2256-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2256-25-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-43-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2604-45-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2620-41-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2620-39-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2664-52-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2664-48-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2664-51-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2808-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-23-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2808-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2912-64-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2912-68-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2912-57-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2912-59-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2912-62-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2912-82-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2912-66-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2912-55-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2912-70-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2912-72-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2912-74-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2912-76-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2912-78-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2912-80-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2940-42-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads