xtremerat | 52326b939dbe798f3fc4cc5ccc2e5570f88c05814c7b03811494c6cc680b872c

General

Target

JaffaCakes118_b3f5ede5f64fc017b6cd05879dc4494b.exe
Size

94KB
MD5

b3f5ede5f64fc017b6cd05879dc4494b
SHA1

c882b9f0f95f383145dfd47636972f453b5702c9
SHA256

52326b939dbe798f3fc4cc5ccc2e5570f88c05814c7b03811494c6cc680b872c
SHA512

94944c6a4b58a8821cf0f6747c9153b194fc5f99f23015bc5c068ecbb7d2ccd69a63399e3cea04f9b68534bb46a7627d211da02633b968e6e5d554bdd5fab566
SSDEEP

1536:Rj4hqn6xsETucb/vxnDm4hqn6xsETucbd/UhAPZg4X74qqLMcjfK:ehdJbg4hdJbSOgwfs

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

C2

hkr0550.no-ip.biz

Listahkrmoot.no-ip.biz

Listaa7bkmoot.no-ip.biz

Signatures

Detect XtremeRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/4864-12-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/4864-13-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/4804-14-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/4864-15-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral1/memory/4804-16-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b3f5ede5f64fc017b6cd05879dc4494b.exe

Executes dropped EXE 2 IoCs

pid	Process
4700	dd.exe
4864	dd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4700 set thread context of 4864	4700	dd.exe	88

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4864-8-0x0000000010000000-0x0000000010048000-memory.dmp	upx
behavioral1/memory/4864-12-0x0000000010000000-0x0000000010048000-memory.dmp	upx
behavioral1/memory/4864-13-0x0000000010000000-0x0000000010048000-memory.dmp	upx
behavioral1/memory/4864-11-0x0000000010000000-0x0000000010048000-memory.dmp	upx
behavioral1/memory/4804-14-0x0000000010000000-0x0000000010048000-memory.dmp	upx
behavioral1/memory/4864-15-0x0000000010000000-0x0000000010048000-memory.dmp	upx
behavioral1/memory/4804-16-0x0000000010000000-0x0000000010048000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5028	4804	WerFault.exe	89
4648	4804	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b3f5ede5f64fc017b6cd05879dc4494b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 4700	1296	JaffaCakes118_b3f5ede5f64fc017b6cd05879dc4494b.exe	87
PID 1296 wrote to memory of 4700	1296	JaffaCakes118_b3f5ede5f64fc017b6cd05879dc4494b.exe	87
PID 1296 wrote to memory of 4700	1296	JaffaCakes118_b3f5ede5f64fc017b6cd05879dc4494b.exe	87
PID 4700 wrote to memory of 4864	4700	dd.exe	88
PID 4700 wrote to memory of 4864	4700	dd.exe	88
PID 4700 wrote to memory of 4864	4700	dd.exe	88
PID 4700 wrote to memory of 4864	4700	dd.exe	88
PID 4700 wrote to memory of 4864	4700	dd.exe	88
PID 4864 wrote to memory of 4804	4864	dd.exe	89
PID 4864 wrote to memory of 4804	4864	dd.exe	89
PID 4864 wrote to memory of 4804	4864	dd.exe	89
PID 4864 wrote to memory of 4804	4864	dd.exe	89
PID 4864 wrote to memory of 4828	4864	dd.exe	90
PID 4864 wrote to memory of 4828	4864	dd.exe	90
PID 4864 wrote to memory of 4828	4864	dd.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b3f5ede5f64fc017b6cd05879dc4494b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b3f5ede5f64fc017b6cd05879dc4494b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Users\Admin\AppData\Local\Temp\dd.exe
  "C:\Users\Admin\AppData\Local\Temp\dd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Users\Admin\AppData\Local\Temp\dd.exe
    "C:\Users\Admin\AppData\Local\Temp\dd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4804
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 444
        5⤵
        Program crash
        
        PID:5028
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 500
        5⤵
        Program crash
        
        PID:4648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4804 -ip 4804
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4804 -ip 4804
1⤵
PID:5616

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dd.exe

Filesize
60KB

MD5
85960db3eb5826f2e287f52c7083b4ae

SHA1
a55ecaa3acb87accb147477740da078b4ee953ea

SHA256
a91e941872b09a1aaf4a28e5dfb7d7e11a9fc4cca2867c8df3137b585091d77a

SHA512
7bf0939ccd53725a6ac8ad2ea881ebb6e89b505708c8403fe87c42c6db373c52879cc83fbd1b0a61148e05d9ce447e7691720131d1888ca2a04f631569ba305c

Download Submit
memory/4804-14-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4804-16-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4864-8-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4864-12-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4864-13-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4864-11-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4864-15-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing