Skip to content

S0361 Expand

Expand is a Windows utility used to expand one or more compressed CAB files.1 It has been used by BBSRAT to decompress a CAB file into executable content.2

Item Value
ID S0361
Associated Names
Type TOOL
Version 1.1
Created 19 February 2019
Last Modified 20 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1140 Deobfuscate/Decode Files or Information Expand can be used to decompress a local or remote CAB file into an executable.1
enterprise T1564 Hide Artifacts -
enterprise T1564.004 NTFS File Attributes Expand can be used to download or copy a file into an alternate data stream.3
enterprise T1570 Lateral Tool Transfer Expand can be used to download or upload a file over a network share.3

References

  1. Microsoft. (2017, October 15). Expand. Retrieved February 19, 2019. 

  2. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016. 

  3. LOLBAS. (n.d.). Expand.exe. Retrieved February 19, 2019.