xpertrat | 862bf290697cfbd5cb41966b550e8b163aac94d6e07461c6e4353ea6fad62e83

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

Windows security bypass 2 TTPs 1 IoCs

Disable or Modify Tools

Modify Registry

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

2932 notepad.exe

pid	process
2932	notepad.exe

Windows security modification 2 TTPs 1 IoCs

Disable or Modify Tools

Modify Registry

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

iexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exeeefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

description	pid	process	target process
PID 2868 set thread context of 988	2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 988 set thread context of 1960	988	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	iexplore.exe
PID 988 set thread context of 1672	988	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeeefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exeeefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

pid	process
2864	powershell.exe
2760	powershell.exe
2676	powershell.exe
3036	powershell.exe
1568	powershell.exe
2724	powershell.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2868	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
988	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
988	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
988	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
988	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
988	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
988	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeIncreaseQuotaPrivilege	2864	powershell.exe
Token: SeSecurityPrivilege	2864	powershell.exe
Token: SeTakeOwnershipPrivilege	2864	powershell.exe
Token: SeLoadDriverPrivilege	2864	powershell.exe
Token: SeSystemProfilePrivilege	2864	powershell.exe
Token: SeSystemtimePrivilege	2864	powershell.exe
Token: SeProfSingleProcessPrivilege	2864	powershell.exe
Token: SeIncBasePriorityPrivilege	2864	powershell.exe
Token: SeCreatePagefilePrivilege	2864	powershell.exe
Token: SeBackupPrivilege	2864	powershell.exe
Token: SeRestorePrivilege	2864	powershell.exe
Token: SeShutdownPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeSystemEnvironmentPrivilege	2864	powershell.exe
Token: SeRemoteShutdownPrivilege	2864	powershell.exe
Token: SeUndockPrivilege	2864	powershell.exe
Token: SeManageVolumePrivilege	2864	powershell.exe
Token: 33	2864	powershell.exe
Token: 34	2864	powershell.exe
Token: 35	2864	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeIncreaseQuotaPrivilege	2760	powershell.exe
Token: SeSecurityPrivilege	2760	powershell.exe
Token: SeTakeOwnershipPrivilege	2760	powershell.exe
Token: SeLoadDriverPrivilege	2760	powershell.exe
Token: SeSystemProfilePrivilege	2760	powershell.exe
Token: SeSystemtimePrivilege	2760	powershell.exe
Token: SeProfSingleProcessPrivilege	2760	powershell.exe
Token: SeIncBasePriorityPrivilege	2760	powershell.exe
Token: SeCreatePagefilePrivilege	2760	powershell.exe
Token: SeBackupPrivilege	2760	powershell.exe
Token: SeRestorePrivilege	2760	powershell.exe
Token: SeShutdownPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeSystemEnvironmentPrivilege	2760	powershell.exe
Token: SeRemoteShutdownPrivilege	2760	powershell.exe
Token: SeUndockPrivilege	2760	powershell.exe
Token: SeManageVolumePrivilege	2760	powershell.exe
Token: 33	2760	powershell.exe
Token: 34	2760	powershell.exe
Token: 35	2760	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeIncreaseQuotaPrivilege	2676	powershell.exe
Token: SeSecurityPrivilege	2676	powershell.exe
Token: SeTakeOwnershipPrivilege	2676	powershell.exe
Token: SeLoadDriverPrivilege	2676	powershell.exe
Token: SeSystemProfilePrivilege	2676	powershell.exe
Token: SeSystemtimePrivilege	2676	powershell.exe
Token: SeProfSingleProcessPrivilege	2676	powershell.exe
Token: SeIncBasePriorityPrivilege	2676	powershell.exe
Token: SeCreatePagefilePrivilege	2676	powershell.exe
Token: SeBackupPrivilege	2676	powershell.exe
Token: SeRestorePrivilege	2676	powershell.exe
Token: SeShutdownPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeSystemEnvironmentPrivilege	2676	powershell.exe
Token: SeRemoteShutdownPrivilege	2676	powershell.exe
Token: SeUndockPrivilege	2676	powershell.exe
Token: SeManageVolumePrivilege	2676	powershell.exe
Token: 33	2676	powershell.exe
Token: 34	2676	powershell.exe
Token: 35	2676	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exeiexplore.exe

pid process

988 eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
1672 iexplore.exe

pid	process
988	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
1672	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName youtube.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName facebook.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName outlook.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName bing.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1568
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
  2⤵
  PID:612
- C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
  2⤵
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
  2⤵
  PID:1040
- C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
  2⤵
  PID:308
- C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
  2⤵
  PID:1204
- C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
  2⤵
  PID:2004
- C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
  2⤵
  PID:2020
- C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
  2⤵
  PID:768
- C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:988
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
    3⤵
    PID:1960
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:1672
  - - C:\Windows\SysWOW64\notepad.exe
      notepad.exe
      4⤵
      Deletes itself
      PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry