Overview

overview

10

Static

static

3

7560b03d97...18.exe

windows7-x64

10

7560b03d97...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7560b03d9721036181565287e85d9525_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240401-vfw2fsae59

  • MD5

    7560b03d9721036181565287e85d9525

  • SHA1

    447c0d915c9236b5f3221bfbe05e5b57785d3142

  • SHA256

    f2926aaea4603961e15c9ac92eb599ddd51bd6e19bd7fded285a1db16753db87

  • SHA512

    fb38977856b6d4702b1793916c90b0b595dc8881457d6a2a98ba488f80e444314a5e1cdaa0f6a741e6c12b129195fd04f499d84a4cca32386c64fe58ccdfe583

  • SSDEEP

    24576:wLFftZPKgfM82jk4sM7RPPzN6dK3KEf02oaSzFEvtOA:QZPK3DkktYw3ttyzF2tf

Score
10/10
xpertratzgrattestevasionpersistencerattrojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Targets

    • Target

      7560b03d9721036181565287e85d9525_JaffaCakes118

    • Size

      1.1MB

    • MD5

      7560b03d9721036181565287e85d9525

    • SHA1

      447c0d915c9236b5f3221bfbe05e5b57785d3142

    • SHA256

      f2926aaea4603961e15c9ac92eb599ddd51bd6e19bd7fded285a1db16753db87

    • SHA512

      fb38977856b6d4702b1793916c90b0b595dc8881457d6a2a98ba488f80e444314a5e1cdaa0f6a741e6c12b129195fd04f499d84a4cca32386c64fe58ccdfe583

    • SSDEEP

      24576:wLFftZPKgfM82jk4sM7RPPzN6dK3KEf02oaSzFEvtOA:QZPK3DkktYw3ttyzF2tf

    Score
    10/10
    xpertratzgrattestevasionpersistencerattrojan

    • Detect ZGRat V1

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • XpertRAT

      XpertRAT is a remote access trojan with various capabilities.

      ratxpertrat

    • XpertRAT Core payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Adds policy Run key to start application

      persistence

    • Deletes itself

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

6
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks