Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 08:35
Static task
static1
Behavioral task
behavioral1
Sample
e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe
-
Size
78KB
-
MD5
e70e6981b147592d7ae3f9a8f30f0073
-
SHA1
80f7d8c402aa38203c04997d621d5dd3838ceaf9
-
SHA256
d91c05a3eff0a8efe68dcede65775c3e246b47125fda5ccbe0f9a592b440b857
-
SHA512
f7420d1225e58afcb90c77ad42817e71f2c480f1bb4d815334b98f2e1d2c3cf199f8b66626058a90e5e42f3ea99e8e24e4f1b96619662819139d68ed45cfa1f9
-
SSDEEP
1536:nc5jScdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6d9/l1c+:nc5jSrn7N041Qqhg19/z
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp33B2.tmp.exepid process 4124 tmp33B2.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp33B2.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp33B2.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exetmp33B2.tmp.exedescription pid process Token: SeDebugPrivilege 4280 e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe Token: SeDebugPrivilege 4124 tmp33B2.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exevbc.exedescription pid process target process PID 4280 wrote to memory of 5052 4280 e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe vbc.exe PID 4280 wrote to memory of 5052 4280 e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe vbc.exe PID 4280 wrote to memory of 5052 4280 e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe vbc.exe PID 5052 wrote to memory of 784 5052 vbc.exe cvtres.exe PID 5052 wrote to memory of 784 5052 vbc.exe cvtres.exe PID 5052 wrote to memory of 784 5052 vbc.exe cvtres.exe PID 4280 wrote to memory of 4124 4280 e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe tmp33B2.tmp.exe PID 4280 wrote to memory of 4124 4280 e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe tmp33B2.tmp.exe PID 4280 wrote to memory of 4124 4280 e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe tmp33B2.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r_rsxecb.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES347D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc77F5433D4E4D41929CA948C1A6A4981D.TMP"3⤵PID:784
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp33B2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp33B2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4124
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b1b4171b3ef71c761ea9f69a46830714
SHA1002b1bcbd97baf618bf62ef6c4bc990cc6b898fb
SHA2566e02ec9aa90efeddfaca19624a8e370abfcffd6bae9383283cde0ae62ee225ff
SHA5129ce72e8f2cb098f327c0edf3535b560815680edba6ec0afea2ed003bcc4e2329fc8b553cd2ae0f83107fba2c5a0c6fb38d31ec535c458b4b6d2c259819bbfd01
-
Filesize
14KB
MD5435818a9a2336c4be6d852fb2ddc0a85
SHA17deee0508b30bdccc70cd0bbbffe1d3dcc645021
SHA2561df6b8dfb703fe8e44af387ecb4fdfab311700c2a12575316bd06351237c2111
SHA512513478fd8e2c9b34e4634d675da20f81099c0271a7668c91405d07f85e3330b7f3271aa543a2e79792c6fd74f5023cd7ba4d4b001c3b6ff86bd192d42f9e88bb
-
Filesize
266B
MD5e22e1fac1ef1f620bc7a43e0493b6067
SHA170e024af78c5f2299af0c692c2990b239414c993
SHA2565c07e141ba16003db63663783cb1a0adee76e657444ef9905f29a4c6dba4d2b2
SHA5122a18d9fa7adae576cdbc40f903aee52954268a947d39713b78e7d26df76d78748b8432ea5cb530d5bdb3301dc13629ce596f3eea2c30403e97c3e22bb0a9ec77
-
Filesize
78KB
MD5def6e676b4724e9ee2a7a25ddb4f9653
SHA1c66840a75ef916ac93cc6e0033d7c4c5004c481d
SHA256951e8720e10696e814168dda395a3bb210d1bc9a04a31d4a37730c1c416d146c
SHA512e8f4ea8c408dfdf9d988f5a3cc352aff2551158c869bc976039bd106a4c318af2ac14bcfad1d4f769b4676db99c96696d26d3f53636612d102705646fc33b231
-
Filesize
660B
MD5f70c7fcf295bbb88db3d782d5c91085d
SHA1a8e2aa95bfc8f695a4e212f7006ccac61f9ab360
SHA256f437d25318d421d57907a21edee29de8b15244087430183a6658b27a2999b9da
SHA5129d784f346c4d7f4c636946e45c9b19f8caad998553f1e5dfbea7199c75b5580c32f04bcefee08ab8674d144b7ea30ab0041041eb8b4bab7481037e3eb80da871
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65