Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-04-2024 20:13

General

  • Target

    e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe

  • Size

    78KB

  • MD5

    e850ed9b9eb661162257c74b4caab45d

  • SHA1

    c95d96973e2b74e2d69528cc3c79dbb4ef6707f2

  • SHA256

    27c0d27301d0249ad037784b18fee5c087534b2ed3de81db6c038227e38deac6

  • SHA512

    d949f12b4e0cba64145a9954b9d90d669df68c4c59f239f677789f422efe746516f9c5243bdaf91ec52964ea0832d69911bc697cfbefed58231fe7800fc98b73

  • SSDEEP

    1536:m+5jSNpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6t9/MB1F/:T5jS7JywQjDgTLopLwdCFJzl9/w

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hxqyzktd.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES120B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc120A.tmp"
        3⤵
          PID:2544
      • C:\Users\Admin\AppData\Local\Temp\tmp1140.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp1140.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe
        2⤵
        • Executes dropped EXE
        PID:2640

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES120B.tmp

      Filesize

      1KB

      MD5

      6b524a155cd198fc1ebd5fbc9a63699b

      SHA1

      193a7ec61ebc494c24ecd5486a12aeea2c385a02

      SHA256

      f890326ea31aaa44e996fd0be58beb0a4f1ff78df0a2dd29c74e8078c69dc109

      SHA512

      090ad4d7549cf115b5773a0e9d8549f1d196cb5128eb4dacf430d801e7e36c818150c0b183c84f496e815b1a71df3b6fdad6b051fc3a4336c229cd5a5bf38e35

    • C:\Users\Admin\AppData\Local\Temp\hxqyzktd.0.vb

      Filesize

      14KB

      MD5

      05a14705946741aba02a140c68df18be

      SHA1

      d2a7f8f4262226d8799e266f2e2acb6c9b99e520

      SHA256

      1cff2a93812fb125bbbc5769fac17efb0507463962537a90a1f02c95f1c661b7

      SHA512

      b6f2c4d795d037f05ded06985b01f36662c55352096cdf443a6c64cf294038d9cfba9f55e4a113c48a6f074c89a8925bdd36d3e33fb996e74923284a984be910

    • C:\Users\Admin\AppData\Local\Temp\hxqyzktd.cmdline

      Filesize

      266B

      MD5

      0a8147e2d20723531a000176a8445c6d

      SHA1

      23eba1de81833df265e3704af583457c94ef38b4

      SHA256

      14ed7546826292740b8a98bc68df66cb4580104ff7f92cf7575e20654c39c998

      SHA512

      01b43ef5a62a7357db533b2b89c5bf131a3693d80dd432180fef7b605a3cd21b6a0179c4032a95e9e9354e5418b78f94b5d3f9a9200f4853770c5bcb04fbd67f

    • C:\Users\Admin\AppData\Local\Temp\tmp1140.tmp.exe

      Filesize

      78KB

      MD5

      02c8fb9826d8eedcdfae01026aba80ca

      SHA1

      297eae7b3dab86a4f03144840b79852b803603ef

      SHA256

      0124dff8d3b7f17f0bda3485b1e96192a029103d5ada2fe90f70a41972580ebf

      SHA512

      42e0bcd35390e799c67d45dc0d61c9b8170769f666380b62a71dfa4c86f020c98d8808909ba2ef29b1e387b83e7ea86333f1a209b865b5933b6f2427e0160765

    • C:\Users\Admin\AppData\Local\Temp\vbc120A.tmp

      Filesize

      660B

      MD5

      3c9664cc3ca7cf024188b2a7bcd4088c

      SHA1

      95e3922e02bb7060ac9a2acd24286267b66d183a

      SHA256

      f4dd0d4afe96cb6b2c4926621cd867023cbce790add0ad5edbd829e1ee60e3ac

      SHA512

      d2a3ee98cec8d5ef2215119b1a05c8d85c78ebe03dc3bcf946190bac92e12e8be2e9ca25625ccbd4467730dcb7f3762391932e4f784847ce4165f6287d9937bf

    • C:\Users\Admin\AppData\Local\Temp\zCom.resources

      Filesize

      62KB

      MD5

      484967ab9def8ff17dd55476ca137721

      SHA1

      a84012f673fe1ac9041e7827cc3de4b20a1194e2

      SHA256

      9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

      SHA512

      1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

    • memory/2168-2-0x0000000074530000-0x0000000074ADB000-memory.dmp

      Filesize

      5.7MB

    • memory/2168-1-0x0000000001F60000-0x0000000001FA0000-memory.dmp

      Filesize

      256KB

    • memory/2168-0-0x0000000074530000-0x0000000074ADB000-memory.dmp

      Filesize

      5.7MB

    • memory/2168-22-0x0000000074530000-0x0000000074ADB000-memory.dmp

      Filesize

      5.7MB

    • memory/2640-24-0x0000000000490000-0x00000000004D0000-memory.dmp

      Filesize

      256KB

    • memory/2640-23-0x0000000074530000-0x0000000074ADB000-memory.dmp

      Filesize

      5.7MB

    • memory/2640-25-0x0000000074530000-0x0000000074ADB000-memory.dmp

      Filesize

      5.7MB

    • memory/2640-26-0x0000000000490000-0x00000000004D0000-memory.dmp

      Filesize

      256KB

    • memory/2640-28-0x0000000000490000-0x00000000004D0000-memory.dmp

      Filesize

      256KB

    • memory/2640-27-0x0000000074530000-0x0000000074ADB000-memory.dmp

      Filesize

      5.7MB