Analysis

  • max time kernel
    137s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 10:35

General

  • Target

    298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    298d23c0ecd0b23b303eed58288e8209

  • SHA1

    7536e0937095311b8565adbadea597e99745d774

  • SHA256

    2ce70e3ec75c2e85928d0590e3d0909bd0fdb28600a5b3443a527d6560de01e6

  • SHA512

    bb6766ac874e69d8a37575ffa5e450724b638e82c1e9316bb58f2252d1d047e450686c27c4549e17e19ed5d66207997bff1b0ed2b06a58f9c343785acaf85bb8

  • SSDEEP

    3072:gG5yzbGfgyr9z+zyC5yQDVeImFoOS042ywxsaH2+MgsVIVzn0f+CD:AbCRz++OMIgmSzBsyVgf9

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Group

C2

46.183.220.104:10101

Mutex

K8P3I007-I4G2-R2U0-V0G8-T1Q3K5W771L5

Signatures

  • UAC bypass 3 TTPs 2 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

  • XpertRAT Core payload 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:772
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f
        3⤵
          PID:1836
      • C:\Users\Admin\AppData\Roaming\tmp.exe
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        2⤵
        • UAC bypass
        • Windows security bypass
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2232
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Roaming\tmp.exe
          3⤵
            PID:540
        • C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe"
          2⤵
          • UAC bypass
          • Windows security bypass
          • Windows security modification
          • Checks whether UAC is enabled
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2012
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:692
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1136
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 2640
            3⤵
            • Delays execution with timeout.exe
            PID:276

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      3
      T1562

      Disable or Modify Tools

      3
      T1562.001

      Modify Registry

      4
      T1112

      Discovery

      System Information Discovery

      2
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\FolderN\name.exe
        Filesize

        1.2MB

        MD5

        298d23c0ecd0b23b303eed58288e8209

        SHA1

        7536e0937095311b8565adbadea597e99745d774

        SHA256

        2ce70e3ec75c2e85928d0590e3d0909bd0fdb28600a5b3443a527d6560de01e6

        SHA512

        bb6766ac874e69d8a37575ffa5e450724b638e82c1e9316bb58f2252d1d047e450686c27c4549e17e19ed5d66207997bff1b0ed2b06a58f9c343785acaf85bb8

      • C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
        Filesize

        190B

        MD5

        2f98167fa44c455560450f60ceff0fa0

        SHA1

        34b599d23f9424deed3e4ead29d315f2b5e9dd21

        SHA256

        acc75b60b025aa61061c7663a81505dca62d69aa792cac010a11fea2c5d10f3b

        SHA512

        1d1f1eb11f2bb5ea6aecd8260aee3645f6a28b1f71bca354addd88212fa5627609a9f5ee9622b539f6eb1bfea448ede98a049647cac27e088c9938a292617437

      • \Users\Admin\AppData\Roaming\tmp.exe
        Filesize

        172KB

        MD5

        d5ac3689652f1d3566ec15d8ba4f088a

        SHA1

        aedd8e90ec29f1a0259eb31fab519a398cb4f205

        SHA256

        4c4b3ad8895c8ea779e3e359b8f3610f061d4d865170e32b7af648ff0268e2b8

        SHA512

        6b989ca5018c9ff845461e150ac23b92ae71ef1d268d8975e52a3293f15eefadde6f3b73670c902f4d146e80db0f799b08fedd87c786ab7af366f4b54e35ba70

      • memory/692-38-0x0000000000400000-0x0000000000443000-memory.dmp
        Filesize

        268KB

      • memory/2012-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

      • memory/2012-18-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

      • memory/2012-20-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

      • memory/2012-26-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

      • memory/2012-23-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

      • memory/2012-49-0x0000000000400000-0x000000000042C000-memory.dmp
        Filesize

        176KB

      • memory/2732-3-0x00000000749E0000-0x0000000074F8B000-memory.dmp
        Filesize

        5.7MB

      • memory/2732-0-0x00000000749E1000-0x00000000749E2000-memory.dmp
        Filesize

        4KB

      • memory/2732-2-0x00000000749E0000-0x0000000074F8B000-memory.dmp
        Filesize

        5.7MB

      • memory/2732-1-0x00000000749E0000-0x0000000074F8B000-memory.dmp
        Filesize

        5.7MB

      • memory/2732-50-0x00000000749E0000-0x0000000074F8B000-memory.dmp
        Filesize

        5.7MB