Analysis
-
max time kernel
162s -
max time network
170s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 23:28
Static task
static1
Behavioral task
behavioral1
Sample
e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe
Resource
win10v2004-20240319-en
General
-
Target
e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe
-
Size
78KB
-
MD5
e61c0733eec554b44a88b45bf4255965
-
SHA1
c06333f19c93b928ebdc9abfbd8e6003dcc03707
-
SHA256
351478e0165f7dd0c041d73b2163a3cbeb33306f93ef9362b6aa605c586c9c75
-
SHA512
15c0557a4564ca8870d3f745e717c7fc1c5d1904a46ba39fdb81674cf89db2462369d9f658531d3488fc665c0653a925d79bac87fae8fc9083b329c2e4714d8c
-
SSDEEP
1536:n5jSLLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6q9/s1pH:n5jS3E2EwR4uY41HyvYy9/k
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp86AD.tmp.exepid process 2624 tmp86AD.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exepid process 1792 e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe 1792 e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp86AD.tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmp86AD.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exetmp86AD.tmp.exedescription pid process Token: SeDebugPrivilege 1792 e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe Token: SeDebugPrivilege 2624 tmp86AD.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exevbc.exedescription pid process target process PID 1792 wrote to memory of 2212 1792 e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe vbc.exe PID 1792 wrote to memory of 2212 1792 e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe vbc.exe PID 1792 wrote to memory of 2212 1792 e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe vbc.exe PID 1792 wrote to memory of 2212 1792 e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe vbc.exe PID 2212 wrote to memory of 2132 2212 vbc.exe cvtres.exe PID 2212 wrote to memory of 2132 2212 vbc.exe cvtres.exe PID 2212 wrote to memory of 2132 2212 vbc.exe cvtres.exe PID 2212 wrote to memory of 2132 2212 vbc.exe cvtres.exe PID 1792 wrote to memory of 2624 1792 e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe tmp86AD.tmp.exe PID 1792 wrote to memory of 2624 1792 e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe tmp86AD.tmp.exe PID 1792 wrote to memory of 2624 1792 e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe tmp86AD.tmp.exe PID 1792 wrote to memory of 2624 1792 e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe tmp86AD.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\srxx1czb.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8834.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8833.tmp"3⤵PID:2132
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50cfc102326f89c026e9faa143df8c7fb
SHA193c33fb35fb161ed2039afc333d2a90bf98ba795
SHA256a81ff0609e315df1e82612f9e702631578dc0a105462bd0db8b6fc578999fa88
SHA512773b47d8020d5f2b61c113b02759962843744389d0957cf8b34fd023a3664faf74d439d8da0dc69844fb6f713360ab4399ae525b99028582414b058f587ae417
-
Filesize
14KB
MD55589300d037b5b44fc1295b0c90206ae
SHA102e71bb7890feb5994d1ccedc2921adf41511718
SHA256375b40d27d73d33433d5e7638fff47880d11561d91ffd39ea1d49fc785f078c1
SHA512dd4d17e5f7bf4d9ce28d2bd8ed227cdc2eed7f8aacc4e8c2121ffc09bc86d93c8acd9e404eaec47cbe08671c37aa10050b0f03868523d9494e76e23bc26b3138
-
Filesize
266B
MD525366dbbddc6c5bd18e824fbc62985e3
SHA1aed225c96184e119eddfbdbb238fcd6c32d8dbbb
SHA25670dcf1f3566c2aa7463101f4ce9262a72f8a248812500ef467d5b485bd916039
SHA5125362cb3e6150f9546646f61b42da6c695d1dd66a0b4a7b3c9e97107dffb1e7a94ddea84f62f007cdef32f2099ce0582b25cd50f60f8c092693da036a709ee533
-
Filesize
78KB
MD5a09def80204546ef615e0b84e3a03cae
SHA1762d3018432a5467e37949ddf48ab3bfc06abb17
SHA2566c9becc8ce4d7f151235d205649b76bbeeff1cf3b76531239640be58846123a9
SHA51203ab566d3780c153defa99ffd152264ef282dd96266bc115de08e45d69ae9736f31ae9366ad71adb434395ade023b4e4df8fa4e02724115679386cffb84b2b26
-
Filesize
660B
MD5b8a7846ae295252d08e307b9743d3746
SHA1e2728d0edea6606f1d4cbf13b32f4ff8a53680d2
SHA256d91256809f1b75455b827d800626f372950fcf39407990c9641bec3374b73b7d
SHA51249d200610ed99921d58f7f0cd69ac6b08bb6d7f5402d7e761f67a323515a718dd0f133c3b84224d499db437e85463a580fc25397772575942450daabe20dbea9
-
Filesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809