Overview

overview

10

Static

static

3

2578debd23...18.exe

windows7-x64

10

2578debd23...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2024 15:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe

  • Size

    325KB

  • MD5

    2578debd234465c8aa7bcdf53bc3858a

  • SHA1

    aaec53a7560318b698cec4f1388f26b1c12f9c40

  • SHA256

    0f4e7faf833c30ed300efa46b4b1d083523d48ec2864f110d2a2d5b47eb67a72

  • SHA512

    849947365c47ab82f54d7e7b6a5105e28bf684cff0ad3f313541722dcc2b0ae9bbdeb794b771a32a07fd6b1f071f2b99e7c8464167aff036a622fc969ce4fcdf

  • SSDEEP

    6144:KiMD5bWl4fAAH3gyLBVpRQ7Wm5qRnu1goA:hl4bHQydlQamL/A

Score
10/10
xpertratgroupevasionrattrojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Group

C2

46.183.220.104:10101

Mutex

K8P3I007-I4G2-R2U0-V0G8-T1Q3K5W771L5

Signatures

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core payload 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f
        3⤵
          PID:2564
      • C:\Users\Admin\AppData\Roaming\tmp.exe
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        2⤵
        • UAC bypass
        • Windows security bypass
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2568
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Roaming\tmp.exe
          3⤵
            PID:2496
        • C:\Users\Admin\AppData\Local\Temp\svhost.exe
          "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
          2⤵
          • UAC bypass
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • Checks whether UAC is enabled
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2936
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\svhost.exe
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2384
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1724
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 300
            3⤵
            • Delays execution with timeout.exe
            PID:2504

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      3
      T1562

      Disable or Modify Tools

      3
      T1562.001

      Modify Registry

      4
      T1112

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\svhost.exe
        Filesize

        1.6MB

        MD5

        32827e69b293b99013bbbe37d029245d

        SHA1

        bc9f80a38f09354d71467a05b0c5a82c3f7dac53

        SHA256

        9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

        SHA512

        58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

        Download Submit
      • C:\Users\Admin\AppData\Roaming\FolderN\name.exe
        Filesize

        325KB

        MD5

        2578debd234465c8aa7bcdf53bc3858a

        SHA1

        aaec53a7560318b698cec4f1388f26b1c12f9c40

        SHA256

        0f4e7faf833c30ed300efa46b4b1d083523d48ec2864f110d2a2d5b47eb67a72

        SHA512

        849947365c47ab82f54d7e7b6a5105e28bf684cff0ad3f313541722dcc2b0ae9bbdeb794b771a32a07fd6b1f071f2b99e7c8464167aff036a622fc969ce4fcdf

        Download Submit
      • C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
        Filesize

        189B

        MD5

        dca86f6bec779bba1b58d992319e88db

        SHA1

        844e656d3603d15ae56f36298f8031ad52935829

        SHA256

        413b4ee68f5400fcd30ae5df957d723989b400637dbc7f5d158fa050bdc20743

        SHA512

        4b9d532a777921543b3243020ea4b655a8b956c400b237ce714b5bd8e9a3ad7fdbcb11410e84e2e0ecc45e87dcd107385a487f5bb5b359aabd1322314ef2d24c

        Download Submit
      • \Users\Admin\AppData\Local\Temp\svhost.exe
        Filesize

        448KB

        MD5

        dea4be0cd6e1e8e3c7b5ac7c0bd90a57

        SHA1

        07f8fbaaa4c65c3e9327aeb8afba76895e269507

        SHA256

        a221e9aa2edf42cbd95a7d1aefa30e0d73d2c7ba0cff93c3b53db9e364334fef

        SHA512

        a963cc3056d9fdce74ffabcfa7cc32d62c49700a25167f80468919da4d80806c4ceec82d77be04b8bc9362c43bb25d2a0437708bb1159b7efed48fa0ff749f5f

        Download Submit
      • \Users\Admin\AppData\Roaming\tmp.exe
        Filesize

        172KB

        MD5

        d5ac3689652f1d3566ec15d8ba4f088a

        SHA1

        aedd8e90ec29f1a0259eb31fab519a398cb4f205

        SHA256

        4c4b3ad8895c8ea779e3e359b8f3610f061d4d865170e32b7af648ff0268e2b8

        SHA512

        6b989ca5018c9ff845461e150ac23b92ae71ef1d268d8975e52a3293f15eefadde6f3b73670c902f4d146e80db0f799b08fedd87c786ab7af366f4b54e35ba70

        Download Submit
      • memory/2264-2-0x0000000074330000-0x00000000748DB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2264-0-0x0000000074331000-0x0000000074332000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2264-1-0x0000000074330000-0x00000000748DB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2264-50-0x0000000074330000-0x00000000748DB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2384-44-0x0000000000400000-0x0000000000443000-memory.dmp
        Filesize

        268KB

        Download
      • memory/2936-20-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/2936-26-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/2936-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2936-23-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/2936-22-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

        Download