xpertrat | e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a | Triage

Sharing

General

Target

6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118
Size

1.1MB
Sample

240523-cgx12aaa34
MD5

6962527d9ac313319bd2b87cd12ab32c
SHA1

cd5c57102e56d6af901919edf41dd85d9f012351
SHA256

e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a
SHA512

048f07a350e08d49e70b3a1a1d017c515f700ad0de2415130efe71c455b81cd656ab820104eff6bf39444d9cae1c2220066715ed8efec0e898602e9ea5ab3532
SSDEEP

12288:Z2PCI9ykuSRPFqiVx/kTarr86nHKzCKE7tSlR/h0QRVDNwm:ZM9Pu2Fc6r8y3KcQ7/h0Uu

Score

10^/10

xpertrat kaffyvirus evasion persistence rat trojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

kaffyvirus

C2

84.38.134.115:1234

Mutex

B2H6Y3K0-Y7X5-B5F3-N3W1-K4A558N0M337

Targets

- Target
  
  6962527d9ac313319bd2b87cd12ab32c_JaffaCakes118
- Size
  
  1.1MB
- MD5
  
  6962527d9ac313319bd2b87cd12ab32c
- SHA1
  
  cd5c57102e56d6af901919edf41dd85d9f012351
- SHA256
  
  e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a
- SHA512
  
  048f07a350e08d49e70b3a1a1d017c515f700ad0de2415130efe71c455b81cd656ab820104eff6bf39444d9cae1c2220066715ed8efec0e898602e9ea5ab3532
- SSDEEP
  
  12288:Z2PCI9ykuSRPFqiVx/kTarr86nHKzCKE7tSlR/h0QRVDNwm:ZM9Pu2Fc6r8y3KcQ7/h0Uu
Score

10^/10

xpertrat kaffyvirus evasion persistence rat trojan
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- XpertRAT
  XpertRAT is a remote access trojan with various capabilities.
  rat xpertrat
- XpertRAT Core payload
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xpertratkaffyvirusevasionpersistencerattrojan

behavioral2

xpertratkaffyvirusevasionpersistencerattrojan