xpertrat | 862bf290697cfbd5cb41966b550e8b163aac94d6e07461c6e4353ea6fad62e83

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

Windows security bypass 2 TTPs 1 IoCs

Disable or Modify Tools

Modify Registry

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

2932 notepad.exe

pid	process
2932	notepad.exe

Windows security modification 2 TTPs 1 IoCs

Disable or Modify Tools

Modify Registry

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

iexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exeeefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

description	pid	process	target process
PID 2868 set thread context of 988	2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 988 set thread context of 1960	988	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	iexplore.exe
PID 988 set thread context of 1672	988	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeeefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exeeefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

pid	process
2864	powershell.exe
2760	powershell.exe
2676	powershell.exe
3036	powershell.exe
1568	powershell.exe
2724	powershell.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
988	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
988	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
988	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
988	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
988	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
988	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeIncreaseQuotaPrivilege	2864	powershell.exe
Token: SeSecurityPrivilege	2864	powershell.exe
Token: SeTakeOwnershipPrivilege	2864	powershell.exe
Token: SeLoadDriverPrivilege	2864	powershell.exe
Token: SeSystemProfilePrivilege	2864	powershell.exe
Token: SeSystemtimePrivilege	2864	powershell.exe
Token: SeProfSingleProcessPrivilege	2864	powershell.exe
Token: SeIncBasePriorityPrivilege	2864	powershell.exe
Token: SeCreatePagefilePrivilege	2864	powershell.exe
Token: SeBackupPrivilege	2864	powershell.exe
Token: SeRestorePrivilege	2864	powershell.exe
Token: SeShutdownPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeSystemEnvironmentPrivilege	2864	powershell.exe
Token: SeRemoteShutdownPrivilege	2864	powershell.exe
Token: SeUndockPrivilege	2864	powershell.exe
Token: SeManageVolumePrivilege	2864	powershell.exe
Token: 33	2864	powershell.exe
Token: 34	2864	powershell.exe
Token: 35	2864	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeIncreaseQuotaPrivilege	2760	powershell.exe
Token: SeSecurityPrivilege	2760	powershell.exe
Token: SeTakeOwnershipPrivilege	2760	powershell.exe
Token: SeLoadDriverPrivilege	2760	powershell.exe
Token: SeSystemProfilePrivilege	2760	powershell.exe
Token: SeSystemtimePrivilege	2760	powershell.exe
Token: SeProfSingleProcessPrivilege	2760	powershell.exe
Token: SeIncBasePriorityPrivilege	2760	powershell.exe
Token: SeCreatePagefilePrivilege	2760	powershell.exe
Token: SeBackupPrivilege	2760	powershell.exe
Token: SeRestorePrivilege	2760	powershell.exe
Token: SeShutdownPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeSystemEnvironmentPrivilege	2760	powershell.exe
Token: SeRemoteShutdownPrivilege	2760	powershell.exe
Token: SeUndockPrivilege	2760	powershell.exe
Token: SeManageVolumePrivilege	2760	powershell.exe
Token: 33	2760	powershell.exe
Token: 34	2760	powershell.exe
Token: 35	2760	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeIncreaseQuotaPrivilege	2676	powershell.exe
Token: SeSecurityPrivilege	2676	powershell.exe
Token: SeTakeOwnershipPrivilege	2676	powershell.exe
Token: SeLoadDriverPrivilege	2676	powershell.exe
Token: SeSystemProfilePrivilege	2676	powershell.exe
Token: SeSystemtimePrivilege	2676	powershell.exe
Token: SeProfSingleProcessPrivilege	2676	powershell.exe
Token: SeIncBasePriorityPrivilege	2676	powershell.exe
Token: SeCreatePagefilePrivilege	2676	powershell.exe
Token: SeBackupPrivilege	2676	powershell.exe
Token: SeRestorePrivilege	2676	powershell.exe
Token: SeShutdownPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeSystemEnvironmentPrivilege	2676	powershell.exe
Token: SeRemoteShutdownPrivilege	2676	powershell.exe
Token: SeUndockPrivilege	2676	powershell.exe
Token: SeManageVolumePrivilege	2676	powershell.exe
Token: 33	2676	powershell.exe
Token: 34	2676	powershell.exe
Token: 35	2676	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exeiexplore.exe

pid process

988 eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
1672 iexplore.exe

pid	process
988	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
1672	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName youtube.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName facebook.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName outlook.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName bing.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2724

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2⤵
PID:2936

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2⤵
PID:308

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:988

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
3⤵
PID:1960

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1672

C:\Windows\SysWOW64\notepad.exe
notepad.exe
4⤵
- Deletes itself
PID:2932

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry