Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 08:35
Static task
static1
Behavioral task
behavioral1
Sample
e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe
-
Size
78KB
-
MD5
e70e6981b147592d7ae3f9a8f30f0073
-
SHA1
80f7d8c402aa38203c04997d621d5dd3838ceaf9
-
SHA256
d91c05a3eff0a8efe68dcede65775c3e246b47125fda5ccbe0f9a592b440b857
-
SHA512
f7420d1225e58afcb90c77ad42817e71f2c480f1bb4d815334b98f2e1d2c3cf199f8b66626058a90e5e42f3ea99e8e24e4f1b96619662819139d68ed45cfa1f9
-
SSDEEP
1536:nc5jScdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6d9/l1c+:nc5jSrn7N041Qqhg19/z
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp25C9.tmp.exepid process 2652 tmp25C9.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exepid process 2992 e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe 2992 e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp25C9.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp25C9.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exetmp25C9.tmp.exedescription pid process Token: SeDebugPrivilege 2992 e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe Token: SeDebugPrivilege 2652 tmp25C9.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exevbc.exedescription pid process target process PID 2992 wrote to memory of 2668 2992 e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe vbc.exe PID 2992 wrote to memory of 2668 2992 e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe vbc.exe PID 2992 wrote to memory of 2668 2992 e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe vbc.exe PID 2992 wrote to memory of 2668 2992 e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe vbc.exe PID 2668 wrote to memory of 2488 2668 vbc.exe cvtres.exe PID 2668 wrote to memory of 2488 2668 vbc.exe cvtres.exe PID 2668 wrote to memory of 2488 2668 vbc.exe cvtres.exe PID 2668 wrote to memory of 2488 2668 vbc.exe cvtres.exe PID 2992 wrote to memory of 2652 2992 e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe tmp25C9.tmp.exe PID 2992 wrote to memory of 2652 2992 e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe tmp25C9.tmp.exe PID 2992 wrote to memory of 2652 2992 e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe tmp25C9.tmp.exe PID 2992 wrote to memory of 2652 2992 e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe tmp25C9.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bstgaruu.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2666.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2665.tmp"3⤵PID:2488
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp25C9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp25C9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f3702b2a21a3a7dce581f3d00e2c04ed
SHA1a8f65b9014dcc7e12d25258885430571012174d5
SHA256bb9fc64d3b96adaab6b4de71fc21f93fdb87498a9f20e83ce742933dcf26086b
SHA512b88211117acc417b575fbecc534df51e770d848c940efc8f6a4279aeae5dd3965d4277efe21ba554affabc462a464e5c5eca785876298f225b5e3feb6816c575
-
Filesize
14KB
MD5efdaa6cbf7e3d30ad9f5db26ef5100ba
SHA147824567fd927d2f43281e347bad3b4677062448
SHA2565d0ca67ca358282b5c9cf2dfbe9a81926229c86be6c37c1f2eae079fc6d57785
SHA512802efba6b2ed1d9189613c8a23cb485d7e7b106f5e63018a896638f9c6ecf12c38ad0f3133f4a51386608b177ffea1519568546d94055c5a75814adfdd9d857c
-
Filesize
266B
MD5c3f39559f4e0da0d0960d97c1b030a30
SHA1c3beaecaa98278b1490f59345bfcaef43fdb9438
SHA256288361ef135f1901782ca6c8219f1a80df19f3266b683ba10a0a391d30772185
SHA5121daa281388d057e925a285c5c8d31cdf07829f05d17daa248f92b4a486b4dba4a9d876fd5f97bdfbc63e42083de31074c7daf146284217912e14dac965f27970
-
Filesize
78KB
MD5014c3447753049778a4fdcdeb9c1fed5
SHA10e075cf596585e9a064eec2f0a2503c5b43aae0a
SHA256348b3d231e932f409fd94b945c3f4cf3602ba39c33b48a3fd021cffdf1397e80
SHA51236efaa38f73811723d4bbd39ed085dacdf63002616e00d41647838ebf6cad1841639ed86e5f0e2abc7d5e93f2841c2ee36c1faffbccd53c33ce2e164ce8be584
-
Filesize
660B
MD59069b7300823e3eaa33d586de83887ba
SHA1f01028d5eddb5b8df13cce709f7be815de7d7bf3
SHA256016cf662ab8ed0ad38933ec60e79b48b9c78fc94ab499c75c568decdde725a59
SHA512868f2eb891835d5c267770b37110d2d72ba1fb80545c016d085f708dc8783d013e0d76e0a984e3253d0396c84bed72091aa7b789b73f5e0a06e3e43cb4a6ac8e
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65