Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 23:28
Static task
static1
Behavioral task
behavioral1
Sample
e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe
Resource
win10v2004-20240319-en
General
-
Target
e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe
-
Size
78KB
-
MD5
e61c0733eec554b44a88b45bf4255965
-
SHA1
c06333f19c93b928ebdc9abfbd8e6003dcc03707
-
SHA256
351478e0165f7dd0c041d73b2163a3cbeb33306f93ef9362b6aa605c586c9c75
-
SHA512
15c0557a4564ca8870d3f745e717c7fc1c5d1904a46ba39fdb81674cf89db2462369d9f658531d3488fc665c0653a925d79bac87fae8fc9083b329c2e4714d8c
-
SSDEEP
1536:n5jSLLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6q9/s1pH:n5jS3E2EwR4uY41HyvYy9/k
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp824F.tmp.exepid process 2176 tmp824F.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp824F.tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmp824F.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exetmp824F.tmp.exedescription pid process Token: SeDebugPrivilege 2156 e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe Token: SeDebugPrivilege 2176 tmp824F.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exevbc.exedescription pid process target process PID 2156 wrote to memory of 376 2156 e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe vbc.exe PID 2156 wrote to memory of 376 2156 e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe vbc.exe PID 2156 wrote to memory of 376 2156 e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe vbc.exe PID 376 wrote to memory of 1780 376 vbc.exe cvtres.exe PID 376 wrote to memory of 1780 376 vbc.exe cvtres.exe PID 376 wrote to memory of 1780 376 vbc.exe cvtres.exe PID 2156 wrote to memory of 2176 2156 e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe tmp824F.tmp.exe PID 2156 wrote to memory of 2176 2156 e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe tmp824F.tmp.exe PID 2156 wrote to memory of 2176 2156 e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe tmp824F.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\afag3fhf.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8424.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB43D1A27EBA4377A9E596FCAE7C92F.TMP"3⤵PID:1780
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp824F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp824F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3796 --field-trial-handle=2224,i,17688331074622862378,73816879873678745,262144 --variations-seed-version /prefetch:81⤵PID:4956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f83588507d39ca22aabab5c661a067d0
SHA188c621cd3c457fef843e256858c6b20f4653aa87
SHA2567933fac3f3aa872ce087e3a30cd3f994583863c06e2ecd8121a3c1a2df243eb5
SHA512ae1880fccaa9ff8b129e4a1913256083991b04b407f3b0b9bb86d377c4b8fd0d42798cfa7e8ed7583d9043cf1b77d07f05686034492af202763dd27196b5f221
-
Filesize
14KB
MD525167c52aee71b3f8092d5e19d8cf1c9
SHA1ec4fb1d584dff2fcf2dcadeb5204ef267bd7a50f
SHA2561c25554d58de7631a913773db51c3b08e6bd030c77af127f9a7497d2ab01e89a
SHA5125b9a659b78b8c50ab76cd2980ee01090b3c7e93ebc44a15a88b583145e8ba9a4243580df198456f038fa492184d5fadef48cffd770ef8324f0211b2f066c5398
-
Filesize
266B
MD58fda1d17488dcf596a1c90b4b6bbf426
SHA1cc3e1a29932d541813221c52afb60eba58ca7205
SHA256c630e631a116c77966c7a3d4614a40d5373012c5e9661d5bebf65d7c54884b3f
SHA512f4bd8866e0be0355b36a7f7425ffb96015317a71b2e734cb4a85b1def58c05b8f7e5075aa925a42461101d8eb3262bea623a54feacc899624dfc865a7751ac09
-
Filesize
78KB
MD537e6325103fa601047fe8def28b18134
SHA11ad4ea3c2e944678ea83af11876705b99290a26d
SHA2562d0b850508a5c52724fd5503088778114d6a9dcbf1f7f3432f7409cb64fc5576
SHA5121bce9a9461672b72656c012d1711ab1fbabe357d32c2ee5885af5e9994db0ed54fe7ce98e3f8eaf1b0a48eaa9de45c1014de9454c7f48f6e0a41a89dcf36c8c6
-
Filesize
660B
MD54972f4c210ba991f291f5594efb574a6
SHA15fd4898cb465cca0c7e59107872b3d4a879c3522
SHA256b078ff6201a7e2d2ca7a9c15d601652242ffdc2c1f0b1f4f61d64c12cdc41874
SHA5120380715c8fba2fca440927da9c0341016345b553ae98c6a09344c5ebf4ce20d8bdd479c616588f05e398db801836b8d6c79f671b806793c6ef192717188458e5
-
Filesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809