Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 20:13
Static task
static1
Behavioral task
behavioral1
Sample
e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe
Resource
win10v2004-20231215-en
General
-
Target
e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe
-
Size
78KB
-
MD5
e850ed9b9eb661162257c74b4caab45d
-
SHA1
c95d96973e2b74e2d69528cc3c79dbb4ef6707f2
-
SHA256
27c0d27301d0249ad037784b18fee5c087534b2ed3de81db6c038227e38deac6
-
SHA512
d949f12b4e0cba64145a9954b9d90d669df68c4c59f239f677789f422efe746516f9c5243bdaf91ec52964ea0832d69911bc697cfbefed58231fe7800fc98b73
-
SSDEEP
1536:m+5jSNpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6t9/MB1F/:T5jS7JywQjDgTLopLwdCFJzl9/w
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp1140.tmp.exepid process 2640 tmp1140.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exepid process 2168 e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe 2168 e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2168 e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exevbc.exedescription pid process target process PID 2168 wrote to memory of 2984 2168 e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe vbc.exe PID 2168 wrote to memory of 2984 2168 e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe vbc.exe PID 2168 wrote to memory of 2984 2168 e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe vbc.exe PID 2168 wrote to memory of 2984 2168 e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe vbc.exe PID 2984 wrote to memory of 2544 2984 vbc.exe cvtres.exe PID 2984 wrote to memory of 2544 2984 vbc.exe cvtres.exe PID 2984 wrote to memory of 2544 2984 vbc.exe cvtres.exe PID 2984 wrote to memory of 2544 2984 vbc.exe cvtres.exe PID 2168 wrote to memory of 2640 2168 e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe tmp1140.tmp.exe PID 2168 wrote to memory of 2640 2168 e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe tmp1140.tmp.exe PID 2168 wrote to memory of 2640 2168 e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe tmp1140.tmp.exe PID 2168 wrote to memory of 2640 2168 e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe tmp1140.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hxqyzktd.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES120B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc120A.tmp"3⤵PID:2544
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1140.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1140.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe2⤵
- Executes dropped EXE
PID:2640
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56b524a155cd198fc1ebd5fbc9a63699b
SHA1193a7ec61ebc494c24ecd5486a12aeea2c385a02
SHA256f890326ea31aaa44e996fd0be58beb0a4f1ff78df0a2dd29c74e8078c69dc109
SHA512090ad4d7549cf115b5773a0e9d8549f1d196cb5128eb4dacf430d801e7e36c818150c0b183c84f496e815b1a71df3b6fdad6b051fc3a4336c229cd5a5bf38e35
-
Filesize
14KB
MD505a14705946741aba02a140c68df18be
SHA1d2a7f8f4262226d8799e266f2e2acb6c9b99e520
SHA2561cff2a93812fb125bbbc5769fac17efb0507463962537a90a1f02c95f1c661b7
SHA512b6f2c4d795d037f05ded06985b01f36662c55352096cdf443a6c64cf294038d9cfba9f55e4a113c48a6f074c89a8925bdd36d3e33fb996e74923284a984be910
-
Filesize
266B
MD50a8147e2d20723531a000176a8445c6d
SHA123eba1de81833df265e3704af583457c94ef38b4
SHA25614ed7546826292740b8a98bc68df66cb4580104ff7f92cf7575e20654c39c998
SHA51201b43ef5a62a7357db533b2b89c5bf131a3693d80dd432180fef7b605a3cd21b6a0179c4032a95e9e9354e5418b78f94b5d3f9a9200f4853770c5bcb04fbd67f
-
Filesize
78KB
MD502c8fb9826d8eedcdfae01026aba80ca
SHA1297eae7b3dab86a4f03144840b79852b803603ef
SHA2560124dff8d3b7f17f0bda3485b1e96192a029103d5ada2fe90f70a41972580ebf
SHA51242e0bcd35390e799c67d45dc0d61c9b8170769f666380b62a71dfa4c86f020c98d8808909ba2ef29b1e387b83e7ea86333f1a209b865b5933b6f2427e0160765
-
Filesize
660B
MD53c9664cc3ca7cf024188b2a7bcd4088c
SHA195e3922e02bb7060ac9a2acd24286267b66d183a
SHA256f4dd0d4afe96cb6b2c4926621cd867023cbce790add0ad5edbd829e1ee60e3ac
SHA512d2a3ee98cec8d5ef2215119b1a05c8d85c78ebe03dc3bcf946190bac92e12e8be2e9ca25625ccbd4467730dcb7f3762391932e4f784847ce4165f6287d9937bf
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7