General

  • Target

    085e89b8c2a49aa819549e372a82a456_JaffaCakes118

  • Size

    628KB

  • Sample

    240429-xezgasab5z

  • MD5

    085e89b8c2a49aa819549e372a82a456

  • SHA1

    844494e6e33fd48479b7509202a6fcbf43a0303e

  • SHA256

    35cbc9343c28832d7bd8fca706ba5c8d68a9d3250b11346239c5c48432fbb332

  • SHA512

    e72de6ca5683eaee8800d31ce4dc427d6d5e9c5adc5bcab4728f83666b486eed0c17c445c930e22e109861535f65a765c2a957ff8d09d86e8513ea2fb5f0fd8b

  • SSDEEP

    12288:Y2wm3VGxU4zxgc5E8k7xsfDdOjmVOAbbbbbb7nnnnnMhPhPhPhPhPhF:Pwm3Yxpz5nktI6mVfbbbbbb7nnnnnMhJ

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

140.82.57.249:3614

Mutex

N3S7K4V2-L8C6-M6Q5-Y5I3-V6L7F1Y2X5G0

Targets

    • Target

      085e89b8c2a49aa819549e372a82a456_JaffaCakes118

    • Size

      628KB

    • MD5

      085e89b8c2a49aa819549e372a82a456

    • SHA1

      844494e6e33fd48479b7509202a6fcbf43a0303e

    • SHA256

      35cbc9343c28832d7bd8fca706ba5c8d68a9d3250b11346239c5c48432fbb332

    • SHA512

      e72de6ca5683eaee8800d31ce4dc427d6d5e9c5adc5bcab4728f83666b486eed0c17c445c930e22e109861535f65a765c2a957ff8d09d86e8513ea2fb5f0fd8b

    • SSDEEP

      12288:Y2wm3VGxU4zxgc5E8k7xsfDdOjmVOAbbbbbb7nnnnnMhPhPhPhPhPhF:Pwm3Yxpz5nktI6mVfbbbbbb7nnnnnMhJ

    • UAC bypass

    • Windows security bypass

    • XpertRAT

      XpertRAT is a remote access trojan with various capabilities.

    • XpertRAT Core payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Checks whether UAC is enabled

    • Program crash

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks