Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
22-09-2024 17:38
General
-
Target
f280eacb46b0ee5c9768d38c8a8ff717_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
f280eacb46b0ee5c9768d38c8a8ff717
-
SHA1
347c922cd531bd00c6839738222ea811a8700754
-
SHA256
623836d21130037a5ca69a4517e27020b2633de86a0f8b8d614c2268750881d1
-
SHA512
13a90ecf9241f9a4e1fc078e50e6282cb6f15d7cb0c3f152d1013c860b6e4c1da5bff4b54a7450fc7db5644f265d34aca29a047f8eff714259f654b8e8f9c7c3
-
SSDEEP
24576:wAHnh+eWsN3skA4RV1Hom2KXMmHa7/wQ5tyFYHkMNxOaw5:nh+ZkldoPK8Ya7/7tyFPF
Malware Config
Extracted
xpertrat
3.0.10
Client X
cally.duckdns.org:8775
R0W4O1A8-P5N3-Y331-D1M0-B2W4Q6D8D2R6
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 1 IoCs
-
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
-
XpertRAT Core payload 1 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f280eacb46b0ee5c9768d38c8a8ff717_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f280eacb46b0ee5c9768d38c8a8ff717_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f280eacb46b0ee5c9768d38c8a8ff717_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f280eacb46b0ee5c9768d38c8a8ff717_JaffaCakes118.exe"2⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\f280eacb46b0ee5c9768d38c8a8ff717_JaffaCakes118.exe3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
4KB