1. Home
  2. Software
  3. Expand

Expand

Expand is a Windows utility used to expand one or more compressed CAB files.[1] It has been used by BBSRAT to decompress a CAB file into executable content.[2]

ID: S0361
Type: TOOL
Platforms: Windows
Contributors: Matthew Demaske, Adaptforward
Version: 1.1
Created: 19 February 2019
Last Modified: 20 March 2020
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

Expand can be used to decompress a local or remote CAB file into an executable.[1]
Enterprise T1564 .004 Hide Artifacts: NTFS File Attributes

Expand can be used to download or copy a file into an alternate data stream.[3]
Enterprise T1570 Lateral Tool Transfer

Expand can be used to download or upload a file over a network share.[3]

References

  1. Microsoft. (2017, October 15). Expand. Retrieved February 19, 2019.
  2. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  1. LOLBAS. (n.d.). Expand.exe. Retrieved February 19, 2019.