xpertrat | 862bf290697cfbd5cb41966b550e8b163aac94d6e07461c6e4353ea6fad62e83

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

Windows security bypass 2 TTPs 1 IoCs

Disable or Modify Tools

Modify Registry

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

4780 notepad.exe

pid	process
4780	notepad.exe

Windows security modification 2 TTPs 1 IoCs

Disable or Modify Tools

Modify Registry

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

iexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exeeefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

description	pid	process	target process
PID 516 set thread context of 2992	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2992 set thread context of 3696	2992	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeeefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exeeefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

pid	process
2776	powershell.exe
2776	powershell.exe
1100	powershell.exe
1100	powershell.exe
3636	powershell.exe
3636	powershell.exe
212	powershell.exe
212	powershell.exe
404	powershell.exe
404	powershell.exe
3100	powershell.exe
3100	powershell.exe
516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2992	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2992	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2992	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
2992	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeIncreaseQuotaPrivilege	2776	powershell.exe
Token: SeSecurityPrivilege	2776	powershell.exe
Token: SeTakeOwnershipPrivilege	2776	powershell.exe
Token: SeLoadDriverPrivilege	2776	powershell.exe
Token: SeSystemProfilePrivilege	2776	powershell.exe
Token: SeSystemtimePrivilege	2776	powershell.exe
Token: SeProfSingleProcessPrivilege	2776	powershell.exe
Token: SeIncBasePriorityPrivilege	2776	powershell.exe
Token: SeCreatePagefilePrivilege	2776	powershell.exe
Token: SeBackupPrivilege	2776	powershell.exe
Token: SeRestorePrivilege	2776	powershell.exe
Token: SeShutdownPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeSystemEnvironmentPrivilege	2776	powershell.exe
Token: SeRemoteShutdownPrivilege	2776	powershell.exe
Token: SeUndockPrivilege	2776	powershell.exe
Token: SeManageVolumePrivilege	2776	powershell.exe
Token: 33	2776	powershell.exe
Token: 34	2776	powershell.exe
Token: 35	2776	powershell.exe
Token: 36	2776	powershell.exe
Token: SeIncreaseQuotaPrivilege	2776	powershell.exe
Token: SeSecurityPrivilege	2776	powershell.exe
Token: SeTakeOwnershipPrivilege	2776	powershell.exe
Token: SeLoadDriverPrivilege	2776	powershell.exe
Token: SeSystemProfilePrivilege	2776	powershell.exe
Token: SeSystemtimePrivilege	2776	powershell.exe
Token: SeProfSingleProcessPrivilege	2776	powershell.exe
Token: SeIncBasePriorityPrivilege	2776	powershell.exe
Token: SeCreatePagefilePrivilege	2776	powershell.exe
Token: SeBackupPrivilege	2776	powershell.exe
Token: SeRestorePrivilege	2776	powershell.exe
Token: SeShutdownPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeSystemEnvironmentPrivilege	2776	powershell.exe
Token: SeRemoteShutdownPrivilege	2776	powershell.exe
Token: SeUndockPrivilege	2776	powershell.exe
Token: SeManageVolumePrivilege	2776	powershell.exe
Token: 33	2776	powershell.exe
Token: 34	2776	powershell.exe
Token: 35	2776	powershell.exe
Token: 36	2776	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeIncreaseQuotaPrivilege	1100	powershell.exe
Token: SeSecurityPrivilege	1100	powershell.exe
Token: SeTakeOwnershipPrivilege	1100	powershell.exe
Token: SeLoadDriverPrivilege	1100	powershell.exe
Token: SeSystemProfilePrivilege	1100	powershell.exe
Token: SeSystemtimePrivilege	1100	powershell.exe
Token: SeProfSingleProcessPrivilege	1100	powershell.exe
Token: SeIncBasePriorityPrivilege	1100	powershell.exe
Token: SeCreatePagefilePrivilege	1100	powershell.exe
Token: SeBackupPrivilege	1100	powershell.exe
Token: SeRestorePrivilege	1100	powershell.exe
Token: SeShutdownPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeSystemEnvironmentPrivilege	1100	powershell.exe
Token: SeRemoteShutdownPrivilege	1100	powershell.exe
Token: SeUndockPrivilege	1100	powershell.exe
Token: SeManageVolumePrivilege	1100	powershell.exe
Token: 33	1100	powershell.exe
Token: 34	1100	powershell.exe
Token: 35	1100	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exeiexplore.exe

pid process

2992 eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
3696 iexplore.exe

pid	process
2992	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
3696	iexplore.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exeeefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exeiexplore.exe

description	pid	process	target process
PID 516 wrote to memory of 2776	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	powershell.exe
PID 516 wrote to memory of 2776	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	powershell.exe
PID 516 wrote to memory of 2776	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	powershell.exe
PID 516 wrote to memory of 1100	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	powershell.exe
PID 516 wrote to memory of 1100	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	powershell.exe
PID 516 wrote to memory of 1100	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	powershell.exe
PID 516 wrote to memory of 3636	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	powershell.exe
PID 516 wrote to memory of 3636	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	powershell.exe
PID 516 wrote to memory of 3636	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	powershell.exe
PID 516 wrote to memory of 212	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	powershell.exe
PID 516 wrote to memory of 212	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	powershell.exe
PID 516 wrote to memory of 212	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	powershell.exe
PID 516 wrote to memory of 404	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	powershell.exe
PID 516 wrote to memory of 404	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	powershell.exe
PID 516 wrote to memory of 404	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	powershell.exe
PID 516 wrote to memory of 3100	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	powershell.exe
PID 516 wrote to memory of 3100	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	powershell.exe
PID 516 wrote to memory of 3100	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	powershell.exe
PID 516 wrote to memory of 2992	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 516 wrote to memory of 2992	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 516 wrote to memory of 2992	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 516 wrote to memory of 2992	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 516 wrote to memory of 2992	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 516 wrote to memory of 2992	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 516 wrote to memory of 2992	516	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
PID 2992 wrote to memory of 3696	2992	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	iexplore.exe
PID 2992 wrote to memory of 3696	2992	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	iexplore.exe
PID 2992 wrote to memory of 3696	2992	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	iexplore.exe
PID 2992 wrote to memory of 3696	2992	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	iexplore.exe
PID 2992 wrote to memory of 3696	2992	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	iexplore.exe
PID 2992 wrote to memory of 3696	2992	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	iexplore.exe
PID 2992 wrote to memory of 3696	2992	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	iexplore.exe
PID 2992 wrote to memory of 3696	2992	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe	iexplore.exe
PID 3696 wrote to memory of 4780	3696	iexplore.exe	notepad.exe
PID 3696 wrote to memory of 4780	3696	iexplore.exe	notepad.exe
PID 3696 wrote to memory of 4780	3696	iexplore.exe	notepad.exe
PID 3696 wrote to memory of 4780	3696	iexplore.exe	notepad.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:516
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName youtube.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName facebook.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3636
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName outlook.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:212
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName bing.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:404
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3100
- C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
  2⤵
  - UAC bypass
  - Windows security bypass
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2992
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\eefa3dd3a36a5decba3c42072ef0798e_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Windows\SysWOW64\notepad.exe
      notepad.exe
      4⤵
      Deletes itself
      PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry