Overview

overview

10

Static

static

3

085e89b8c2...18.exe

windows7-x64

10

085e89b8c2...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    085e89b8c2a49aa819549e372a82a456_JaffaCakes118

  • Size

    628KB

  • Sample

    240429-xezgasab5z

  • MD5

    085e89b8c2a49aa819549e372a82a456

  • SHA1

    844494e6e33fd48479b7509202a6fcbf43a0303e

  • SHA256

    35cbc9343c28832d7bd8fca706ba5c8d68a9d3250b11346239c5c48432fbb332

  • SHA512

    e72de6ca5683eaee8800d31ce4dc427d6d5e9c5adc5bcab4728f83666b486eed0c17c445c930e22e109861535f65a765c2a957ff8d09d86e8513ea2fb5f0fd8b

  • SSDEEP

    12288:Y2wm3VGxU4zxgc5E8k7xsfDdOjmVOAbbbbbb7nnnnnMhPhPhPhPhPhF:Pwm3Yxpz5nktI6mVfbbbbbb7nnnnnMhJ

Score
10/10
xpertrattestevasionrattrojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

140.82.57.249:3614

Mutex

N3S7K4V2-L8C6-M6Q5-Y5I3-V6L7F1Y2X5G0

Targets

    • Target

      085e89b8c2a49aa819549e372a82a456_JaffaCakes118

    • Size

      628KB

    • MD5

      085e89b8c2a49aa819549e372a82a456

    • SHA1

      844494e6e33fd48479b7509202a6fcbf43a0303e

    • SHA256

      35cbc9343c28832d7bd8fca706ba5c8d68a9d3250b11346239c5c48432fbb332

    • SHA512

      e72de6ca5683eaee8800d31ce4dc427d6d5e9c5adc5bcab4728f83666b486eed0c17c445c930e22e109861535f65a765c2a957ff8d09d86e8513ea2fb5f0fd8b

    • SSDEEP

      12288:Y2wm3VGxU4zxgc5E8k7xsfDdOjmVOAbbbbbb7nnnnnMhPhPhPhPhPhF:Pwm3Yxpz5nktI6mVfbbbbbb7nnnnnMhJ

    Score
    10/10
    xpertrattestevasionrattrojan

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • XpertRAT

      XpertRAT is a remote access trojan with various capabilities.

      ratxpertrat

    • XpertRAT Core payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan

    • Program crash

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Scheduled Task/Job

1
T1053

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks