General

  • Target

    6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240523-cgx12aaa34

  • MD5

    6962527d9ac313319bd2b87cd12ab32c

  • SHA1

    cd5c57102e56d6af901919edf41dd85d9f012351

  • SHA256

    e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a

  • SHA512

    048f07a350e08d49e70b3a1a1d017c515f700ad0de2415130efe71c455b81cd656ab820104eff6bf39444d9cae1c2220066715ed8efec0e898602e9ea5ab3532

  • SSDEEP

    12288:Z2PCI9ykuSRPFqiVx/kTarr86nHKzCKE7tSlR/h0QRVDNwm:ZM9Pu2Fc6r8y3KcQ7/h0Uu

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

kaffyvirus

C2

84.38.134.115:1234

Mutex

B2H6Y3K0-Y7X5-B5F3-N3W1-K4A558N0M337

Targets

    • Target

      6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118

    • Size

      1.1MB

    • MD5

      6962527d9ac313319bd2b87cd12ab32c

    • SHA1

      cd5c57102e56d6af901919edf41dd85d9f012351

    • SHA256

      e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a

    • SHA512

      048f07a350e08d49e70b3a1a1d017c515f700ad0de2415130efe71c455b81cd656ab820104eff6bf39444d9cae1c2220066715ed8efec0e898602e9ea5ab3532

    • SSDEEP

      12288:Z2PCI9ykuSRPFqiVx/kTarr86nHKzCKE7tSlR/h0QRVDNwm:ZM9Pu2Fc6r8y3KcQ7/h0Uu

    • UAC bypass

    • Windows security bypass

    • XpertRAT

      XpertRAT is a remote access trojan with various capabilities.

    • XpertRAT Core payload

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

6
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Tasks