metamorpherrat | b01a9945d1ac0c4fcb81680837b580e07b56f830bbf61d5c1ca071f8618a3f5a

General

Target

ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe
Size

78KB
MD5

ece603c81456294d88e05e0c42f81e51
SHA1

d453f2c368bc49dfe91632747a43560835fafe4f
SHA256

b01a9945d1ac0c4fcb81680837b580e07b56f830bbf61d5c1ca071f8618a3f5a
SHA512

fc1fa4c58aef7639e3db9b689cc0a2edcc6fe8342f296a34441c22c999f44aff702940a92649efadea3bfa3a58381071ebb407b1f5bf3edac101a238baae07b3
SSDEEP

1536:wuHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQte99/y1+9:wuHYn3xSyRxvY3md+dWWZye99/J

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2676	tmp1046.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2316	ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe
2316	ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp1046.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe
Token: SeDebugPrivilege	2676	tmp1046.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 1744	2316	ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe	28
PID 2316 wrote to memory of 1744	2316	ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe	28
PID 2316 wrote to memory of 1744	2316	ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe	28
PID 2316 wrote to memory of 1744	2316	ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe	28
PID 1744 wrote to memory of 2084	1744	vbc.exe	30
PID 1744 wrote to memory of 2084	1744	vbc.exe	30
PID 1744 wrote to memory of 2084	1744	vbc.exe	30
PID 1744 wrote to memory of 2084	1744	vbc.exe	30
PID 2316 wrote to memory of 2676	2316	ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe	31
PID 2316 wrote to memory of 2676	2316	ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe	31
PID 2316 wrote to memory of 2676	2316	ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe	31
PID 2316 wrote to memory of 2676	2316	ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7m_a_az7.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1112.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1111.tmp"
    3⤵
    PID:2084
- C:\Users\Admin\AppData\Local\Temp\tmp1046.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1046.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7m_a_az7.0.vb

Filesize
15KB

MD5
bc6dac9026e3e891df386536f018a652

SHA1
88e69709ca10992d168084ac372d50e20c029091

SHA256
e80163f5707a60ba8802946830dbefea73cc7117cda2bae1d4cd3dd0b6dadc25

SHA512
f53b5dcf521336cbab76568678cc23b13cfaac92de77ad2007fb79cc21c2da7208dfdc67d7a6cf680027d924135a17e5b11042c9e702702a0392c578bacf76f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7m_a_az7.cmdline

Filesize
266B

MD5
8e6dd8f164c62464647f1f1c20d8c6ad

SHA1
fbc654481bc79d3630fbbc4f5e7fad4d15510acc

SHA256
1e4598effc92ff14be4455185925ba048e80b0af02a098cab28066ae36b7edc2

SHA512
5d36035fb05a02252ab532b0179bdc3307990cef46b5046ef9f3022aba195812cf4b5d320b23df21c73ae14095ecaa1f70227a7137d8cdf9249a36b3efb55caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1112.tmp

Filesize
1KB

MD5
9afacb8ffb1936e1316bcc3e78d03931

SHA1
2d130fe4ed8266860a053d2e3752aa3b90bfcd9f

SHA256
11f206f0e5ec7dca3a77a327b52881eaf2f239debca60b40e4ba386b1d94354b

SHA512
04fc12857a46e4f08ed6a9e3ccbd0e5f309ae2ae08d38d9583c985215620a781c8f000b3a2587ff61b4e880a423e2238519fb9d559eac19d3547d9181b704dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1046.tmp.exe

Filesize
78KB

MD5
cdf9fc336a87e5b0baa9df1c144e7242

SHA1
2ad666856d3f230d5f64da1f37aa86d6965461b0

SHA256
6ee647040c2d7d39c0df192cd4cc79d733ea02f68e62c3a52f63e8c67d1f17e9

SHA512
8e482225e52b75fddbff856d18654c58e91cd9289400c5aa09408d9c62d1476203b2dd2d6d45465e72ba022c8d4813e5c4666d2eaae27e46536e01ed4cebbeb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1111.tmp

Filesize
660B

MD5
0012eb1cade60971198c19845856ad20

SHA1
785b28775c982a0990ac693879bfc9a66b11f8a7

SHA256
9465cc8b54e005cc53514743896cf551373896684a243d9d929614fc6e153285

SHA512
887fd9bb4b712588b34d85a65d7a3913f7d63c23d9cc4e4dfd6c544aa88c9a570860b97ec1bc88a169b02aba06180ea25c27b0a707a0207722abe28b6cec9ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2316-2-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-1-0x0000000000150000-0x0000000000190000-memory.dmp

Filesize
256KB

Download
memory/2316-0-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-22-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2676-23-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2676-24-0x0000000000EA0000-0x0000000000EE0000-memory.dmp

Filesize
256KB

Download
memory/2676-25-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2676-27-0x0000000000EA0000-0x0000000000EE0000-memory.dmp

Filesize
256KB

Download
memory/2676-28-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2676-29-0x0000000000EA0000-0x0000000000EE0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads