metamorpherrat | a78d29187a50431c5865c0e25979055dfb76737a12c2bfdee725013d056fe471

General

Target

e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe
Size

78KB
MD5

e8cd94209fa88d7b99a6bbc21738b947
SHA1

40a923b789cd455468e80123c1acac6a3681440e
SHA256

a78d29187a50431c5865c0e25979055dfb76737a12c2bfdee725013d056fe471
SHA512

2c798e7f729986392e71eb0d50f476fc29629ef408d31e3e306a4fc9a01880929e05b4147b0d2cd662612ea1ba4bd8866bfac634e08c4454ac65745d65b62ca4
SSDEEP

1536:aPWV58eLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6T9/m1RS:aPWV58gE2EwR4uY41HyvYr9/7

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2592	tmp16BC.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2072	e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe
2072	e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp16BC.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe
Token: SeDebugPrivilege	2592	tmp16BC.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 3048	2072	e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe	28
PID 2072 wrote to memory of 3048	2072	e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe	28
PID 2072 wrote to memory of 3048	2072	e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe	28
PID 2072 wrote to memory of 3048	2072	e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe	28
PID 3048 wrote to memory of 2588	3048	vbc.exe	30
PID 3048 wrote to memory of 2588	3048	vbc.exe	30
PID 3048 wrote to memory of 2588	3048	vbc.exe	30
PID 3048 wrote to memory of 2588	3048	vbc.exe	30
PID 2072 wrote to memory of 2592	2072	e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2592	2072	e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2592	2072	e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2592	2072	e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7xhqborh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1759.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1758.tmp"
    3⤵
    PID:2588
- C:\Users\Admin\AppData\Local\Temp\tmp16BC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp16BC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7xhqborh.0.vb

Filesize
14KB

MD5
823b1eb86def5e3e63b20d9afa17c4c7

SHA1
916baed6275a978ac1d22342670054b4ee20b000

SHA256
d05ed3426af9b45a94c0e5d8dc196f6fa3422a49a4eddbcfd49959b63f279c31

SHA512
762255cad7bd78cf53152adea57084bf3e9ea05ed74090d2888abf9a10ec6bb1333cc09bc621e71f14f261c2db532da515446b251a636d93cbe45f57610da656

Download Submit
C:\Users\Admin\AppData\Local\Temp\7xhqborh.cmdline

Filesize
266B

MD5
547ecf71041cb3ef34665ad4a256619a

SHA1
3c6073a5138f1bfbe548096d4b68fcd851b9939f

SHA256
095f16ef596dc0d1a9ce1e312d0584e9b4711129c2c9c4c20470073fd093e3b0

SHA512
6dbb583d2d0f07f19b190596c8b22d27a1a999f4c45dd527278fdbf8601ceaa28611b14b78896e97714b933c99d895f1b865101730e8c28b18b1e22d55a649b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1759.tmp

Filesize
1KB

MD5
9eea1dc3a74465a144ccdac289794af5

SHA1
4486b7d0870c42a97c3a81b26e2ca75ba2d550e1

SHA256
ca85e251c38f977ff553a95e3f7010a3676ad47724032d08fbe5dd91b882bce0

SHA512
5bf8cf16913e58624acb94c8684b636421216c4afb0294c2cd6597520c7fc26489865993b5e15f0bf2ac4989a61b7f941dd1d9ba9995cadf60b37a1229350aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp16BC.tmp.exe

Filesize
78KB

MD5
97d7d98d9f0fb29856eb408e4a6c899f

SHA1
6faff0b1d7b215a2609418135bf1330c47ae245f

SHA256
86c64660f8f1ffebb522f7de13d9b6732de495700c25523f675d8289b0d67ead

SHA512
68dda89c1fb684d7d2fe77706ca061da22287617ddcf87565adae2a3f75c484f05728fc4043223acc0bdf07a88e97d8bb451a476e6be598355e7b0b892c2d983

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1758.tmp

Filesize
660B

MD5
0c120cad3bc4ab00dab2fb841581938c

SHA1
4ffac40b8cb60a978212f130ba7d6998bb10043c

SHA256
01249e81f4aa72b8dacce179d1b8df0a5c269d4b4c2ef8b4c42e3d2dde6eaa15

SHA512
4113011718f459f49ef7aae8d52e7589a0c682ec74f3fb63204fc7cca6f056a17183dc09fb195d98bd98ae2daacef231cee23e0e273517b9bc2523c6eac5d918

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2072-22-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/2072-0-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/2072-1-0x0000000001FE0000-0x0000000002020000-memory.dmp

Filesize
256KB

Download
memory/2072-2-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/2592-23-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/2592-24-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

Filesize
256KB

Download
memory/2592-25-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/2592-27-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

Filesize
256KB

Download
memory/2592-28-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/2592-29-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads