Overview

overview

10

Static

static

3

eefa3dd3a3...18.exe

windows7-x64

10

eefa3dd3a3...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118

  • Size

    911KB

  • Sample

    240412-djsd1agd6s

  • MD5

    eefa3dd3a36a5decba3c42072ef0798e

  • SHA1

    a51f4f499fc618b9dc36e079258ed3c087e2bae5

  • SHA256

    862bf290697cfbd5cb41966b550e8b163aac94d6e07461c6e4353ea6fad62e83

  • SHA512

    6e28230749c2938279e32d4c2631ea6193f28c2a5d5cd38f4176dc8e5e70a986db866e770ff32e4eaad3233b8e336f66877e1e2c70c9ef5ec2f3912f9df7d6a2

  • SSDEEP

    12288:bJmWMzH+hB/pzxJi3X3+b6umJBDARbeqTJgRGL1xPJH1gOk2jNdgx8qNUn3PHMO:TLpXk+b6umJBDAJeqtgR8XN1g4EO

Score
10/10
xpertratevasionpersistencerattrojan

Malware Config

Targets

    • Target

      eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118

    • Size

      911KB

    • MD5

      eefa3dd3a36a5decba3c42072ef0798e

    • SHA1

      a51f4f499fc618b9dc36e079258ed3c087e2bae5

    • SHA256

      862bf290697cfbd5cb41966b550e8b163aac94d6e07461c6e4353ea6fad62e83

    • SHA512

      6e28230749c2938279e32d4c2631ea6193f28c2a5d5cd38f4176dc8e5e70a986db866e770ff32e4eaad3233b8e336f66877e1e2c70c9ef5ec2f3912f9df7d6a2

    • SSDEEP

      12288:bJmWMzH+hB/pzxJi3X3+b6umJBDARbeqTJgRGL1xPJH1gOk2jNdgx8qNUn3PHMO:TLpXk+b6umJBDAJeqtgR8XN1g4EO

    Score
    10/10
    xpertratevasionpersistencerattrojan

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • XpertRAT

      XpertRAT is a remote access trojan with various capabilities.

      ratxpertrat

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

6
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks