SOFTWARE
Arp
at
cmd
Dok
FTP
Net
Orz
Reg
RTM
Tor
yty
SOFTWARE
1-9
A-B
Arp
at
C-D
cmd
Dok
E-F
FTP
G-H
I-J
K-L
M-N
Net
O-P
Orz
Q-R
Reg
RTM
S-T
Tor
U-V
W-X
Y-Z
yty
  1. Home
  2. Software
  3. Expand

Expand

Expand is a Windows utility used to expand one or more compressed CAB files.[1] It has been used by BBSRAT to decompress a CAB file into executable content.[2]

ID: S0361
Type: TOOL
Platforms: Windows
Contributors: Matthew Demaske, Adaptforward
Version: 1.0
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

Expand can be used to decompress a local or remote CAB file into an executable.[1]
Enterprise T1096 NTFS File Attributes

Expand can be used to download or copy a file into an alternate data stream.[3]
Enterprise T1105 Remote File Copy

Expand can be used to download or upload a file over a network share.[3]

References

  1. Microsoft. (2017, October 15). Expand. Retrieved February 19, 2019.
  2. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  1. LOLBAS. (n.d.). Expand.exe. Retrieved February 19, 2019.