General

  • Target

    d30bd44d161347d5ecf0aa5f6ee9506e_JaffaCakes118

  • Size

    314KB

  • Sample

    240907-3elhbs1ejk

  • MD5

    d30bd44d161347d5ecf0aa5f6ee9506e

  • SHA1

    e70a38e58e2c0d5f28b911859612067574c16c74

  • SHA256

    00c0f1c0d8bce6a3ed14907f7322ecd06c0a11feb0058f1c016c65ec7518ea16

  • SHA512

    0120d8791c205a009a621c0776bdfb17711e602f1bf13e90c6a6a167e475dbe2716e3a739c1938157cfcefc93eaf51c208658213f48d18276b3d03b7273aa3f2

  • SSDEEP

    6144:JkbQQs4kK5DGyJKoWZxar9lJ5JvR89NlY:JxbMDGu/WZ+vIlY

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Group

C2

46.183.220.104:10101

Mutex

K8P3I007-I4G2-R2U0-V0G8-T1Q3K5W771L5

Targets

    • Target

      d30bd44d161347d5ecf0aa5f6ee9506e_JaffaCakes118

    • Size

      314KB

    • MD5

      d30bd44d161347d5ecf0aa5f6ee9506e

    • SHA1

      e70a38e58e2c0d5f28b911859612067574c16c74

    • SHA256

      00c0f1c0d8bce6a3ed14907f7322ecd06c0a11feb0058f1c016c65ec7518ea16

    • SHA512

      0120d8791c205a009a621c0776bdfb17711e602f1bf13e90c6a6a167e475dbe2716e3a739c1938157cfcefc93eaf51c208658213f48d18276b3d03b7273aa3f2

    • SSDEEP

      6144:JkbQQs4kK5DGyJKoWZxar9lJ5JvR89NlY:JxbMDGu/WZ+vIlY

    • UAC bypass

    • Windows security bypass

    • XpertRAT

      XpertRAT is a remote access trojan with various capabilities.

    • XpertRAT Core payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks