xpertrat | 0f4e7faf833c30ed300efa46b4b1d083523d48ec2864f110d2a2d5b47eb67a72

General

Target

2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe
Size

325KB
MD5

2578debd234465c8aa7bcdf53bc3858a
SHA1

aaec53a7560318b698cec4f1388f26b1c12f9c40
SHA256

0f4e7faf833c30ed300efa46b4b1d083523d48ec2864f110d2a2d5b47eb67a72
SHA512

849947365c47ab82f54d7e7b6a5105e28bf684cff0ad3f313541722dcc2b0ae9bbdeb794b771a32a07fd6b1f071f2b99e7c8464167aff036a622fc969ce4fcdf
SSDEEP

6144:KiMD5bWl4fAAH3gyLBVpRQ7Wm5qRnu1goA:hl4bHQydlQamL/A

Score

10^/10

xpertrat group evasion rat trojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Group

C2

46.183.220.104:10101

Mutex

K8P3I007-I4G2-R2U0-V0G8-T1Q3K5W771L5

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

tmp.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp.exe
Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

tmp.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" tmp.exe
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tmp.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	tmp.exe

XpertRAT Core payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1012-31-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe

Drops startup file 1 IoCs

Processes:

2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

tmp.exesvhost.exe

pid process

4764 tmp.exe
1908 svhost.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

tmp.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" tmp.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

tmp.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp.exe

pid	process
4764	tmp.exe
1908	svhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	tmp.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tmp.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exetmp.exe

description	pid	process	target process
PID 1104 set thread context of 1908	1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe	svhost.exe
PID 4764 set thread context of 1012	4764	tmp.exe	iexplore.exe

Drops file in Windows directory 3 IoCs

Processes:

2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

440 timeout.exe
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier cmd.exe

pid	process
440	timeout.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exetmp.exe

pid	process
1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe
1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe
1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe
4764	tmp.exe
4764	tmp.exe
4764	tmp.exe
4764	tmp.exe
1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exeiexplore.exe

description	pid	process
Token: SeDebugPrivilege	1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe
Token: 33	1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe
Token: SeDebugPrivilege	1012	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

tmp.exeiexplore.exe

pid process

4764 tmp.exe
1012 iexplore.exe

pid	process
4764	tmp.exe
1012	iexplore.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.execmd.exetmp.execmd.exe

description	pid	process	target process
PID 1104 wrote to memory of 3252	1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe	cmd.exe
PID 1104 wrote to memory of 3252	1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe	cmd.exe
PID 1104 wrote to memory of 3252	1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe	cmd.exe
PID 3252 wrote to memory of 4356	3252	cmd.exe	reg.exe
PID 3252 wrote to memory of 4356	3252	cmd.exe	reg.exe
PID 3252 wrote to memory of 4356	3252	cmd.exe	reg.exe
PID 1104 wrote to memory of 4764	1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe	tmp.exe
PID 1104 wrote to memory of 4764	1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe	tmp.exe
PID 1104 wrote to memory of 4764	1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe	tmp.exe
PID 1104 wrote to memory of 1908	1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe	svhost.exe
PID 1104 wrote to memory of 1908	1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe	svhost.exe
PID 1104 wrote to memory of 1908	1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe	svhost.exe
PID 1104 wrote to memory of 1908	1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe	svhost.exe
PID 1104 wrote to memory of 1908	1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe	svhost.exe
PID 1104 wrote to memory of 1908	1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe	svhost.exe
PID 1104 wrote to memory of 1908	1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe	svhost.exe
PID 1104 wrote to memory of 1260	1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe	cmd.exe
PID 1104 wrote to memory of 1260	1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe	cmd.exe
PID 1104 wrote to memory of 1260	1104	2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe	cmd.exe
PID 4764 wrote to memory of 1012	4764	tmp.exe	iexplore.exe
PID 4764 wrote to memory of 1012	4764	tmp.exe	iexplore.exe
PID 4764 wrote to memory of 1012	4764	tmp.exe	iexplore.exe
PID 4764 wrote to memory of 1012	4764	tmp.exe	iexplore.exe
PID 4764 wrote to memory of 1012	4764	tmp.exe	iexplore.exe
PID 4764 wrote to memory of 1012	4764	tmp.exe	iexplore.exe
PID 4764 wrote to memory of 1012	4764	tmp.exe	iexplore.exe
PID 4764 wrote to memory of 1012	4764	tmp.exe	iexplore.exe
PID 1260 wrote to memory of 440	1260	cmd.exe	timeout.exe
PID 1260 wrote to memory of 440	1260	cmd.exe	timeout.exe
PID 1260 wrote to memory of 440	1260	cmd.exe	timeout.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

tmp.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tmp.exe

C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2578debd234465c8aa7bcdf53bc3858a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f
3⤵
PID:4356

C:\Users\Admin\AppData\Roaming\tmp.exe
"C:\Users\Admin\AppData\Roaming\tmp.exe"
2⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4764

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Roaming\tmp.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1012

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
2⤵
- Executes dropped EXE
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
3⤵
- Delays execution with timeout.exe
PID:440

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
C:\Users\Admin\AppData\Roaming\FolderN\name.exe
Filesize
325KB

MD5
2578debd234465c8aa7bcdf53bc3858a

SHA1
aaec53a7560318b698cec4f1388f26b1c12f9c40

SHA256
0f4e7faf833c30ed300efa46b4b1d083523d48ec2864f110d2a2d5b47eb67a72

SHA512
849947365c47ab82f54d7e7b6a5105e28bf684cff0ad3f313541722dcc2b0ae9bbdeb794b771a32a07fd6b1f071f2b99e7c8464167aff036a622fc969ce4fcdf

Download Submit
C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
Filesize
189B

MD5
dca86f6bec779bba1b58d992319e88db

SHA1
844e656d3603d15ae56f36298f8031ad52935829

SHA256
413b4ee68f5400fcd30ae5df957d723989b400637dbc7f5d158fa050bdc20743

SHA512
4b9d532a777921543b3243020ea4b655a8b956c400b237ce714b5bd8e9a3ad7fdbcb11410e84e2e0ecc45e87dcd107385a487f5bb5b359aabd1322314ef2d24c

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe
Filesize
172KB

MD5
d5ac3689652f1d3566ec15d8ba4f088a

SHA1
aedd8e90ec29f1a0259eb31fab519a398cb4f205

SHA256
4c4b3ad8895c8ea779e3e359b8f3610f061d4d865170e32b7af648ff0268e2b8

SHA512
6b989ca5018c9ff845461e150ac23b92ae71ef1d268d8975e52a3293f15eefadde6f3b73670c902f4d146e80db0f799b08fedd87c786ab7af366f4b54e35ba70

Download Submit
memory/1012-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1104-0-0x0000000074A62000-0x0000000074A63000-memory.dmp

Filesize
4KB

Download
memory/1104-1-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/1104-2-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/1104-37-0x0000000074A60000-0x0000000075011000-memory.dmp

Filesize
5.7MB

Download
memory/1908-26-0x00000000005D0000-0x00000000005FC000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads