Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 05:38
Static task
static1
Behavioral task
behavioral1
Sample
fc0ada1226b3666b5875cf6c4cbe07d8_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
fc0ada1226b3666b5875cf6c4cbe07d8_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
fc0ada1226b3666b5875cf6c4cbe07d8_JaffaCakes118.exe
-
Size
78KB
-
MD5
fc0ada1226b3666b5875cf6c4cbe07d8
-
SHA1
7404925277988f1ffab7a2bf9400d51a837923ea
-
SHA256
a631d8a8d5d3821bfd0da928365f7b7bb4921461652c5a5b2c406e61f9c23a62
-
SHA512
e87923f1ba24d9f646bfaf1ca01e7e66174defdde0d4ce2b65da23e78f59a9cc9492626cc25dc5440b9c51c47ad33aaaf37c5a98dc74062925d6169e1ed68807
-
SSDEEP
1536:75jidy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6h9/V166:75j9n7N041Qqhg59/9
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp1036.tmp.exepid process 2480 tmp1036.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
fc0ada1226b3666b5875cf6c4cbe07d8_JaffaCakes118.exepid process 2040 fc0ada1226b3666b5875cf6c4cbe07d8_JaffaCakes118.exe 2040 fc0ada1226b3666b5875cf6c4cbe07d8_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp1036.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp1036.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fc0ada1226b3666b5875cf6c4cbe07d8_JaffaCakes118.exetmp1036.tmp.exedescription pid process Token: SeDebugPrivilege 2040 fc0ada1226b3666b5875cf6c4cbe07d8_JaffaCakes118.exe Token: SeDebugPrivilege 2480 tmp1036.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fc0ada1226b3666b5875cf6c4cbe07d8_JaffaCakes118.exevbc.exedescription pid process target process PID 2040 wrote to memory of 2084 2040 fc0ada1226b3666b5875cf6c4cbe07d8_JaffaCakes118.exe vbc.exe PID 2040 wrote to memory of 2084 2040 fc0ada1226b3666b5875cf6c4cbe07d8_JaffaCakes118.exe vbc.exe PID 2040 wrote to memory of 2084 2040 fc0ada1226b3666b5875cf6c4cbe07d8_JaffaCakes118.exe vbc.exe PID 2040 wrote to memory of 2084 2040 fc0ada1226b3666b5875cf6c4cbe07d8_JaffaCakes118.exe vbc.exe PID 2084 wrote to memory of 2644 2084 vbc.exe cvtres.exe PID 2084 wrote to memory of 2644 2084 vbc.exe cvtres.exe PID 2084 wrote to memory of 2644 2084 vbc.exe cvtres.exe PID 2084 wrote to memory of 2644 2084 vbc.exe cvtres.exe PID 2040 wrote to memory of 2480 2040 fc0ada1226b3666b5875cf6c4cbe07d8_JaffaCakes118.exe tmp1036.tmp.exe PID 2040 wrote to memory of 2480 2040 fc0ada1226b3666b5875cf6c4cbe07d8_JaffaCakes118.exe tmp1036.tmp.exe PID 2040 wrote to memory of 2480 2040 fc0ada1226b3666b5875cf6c4cbe07d8_JaffaCakes118.exe tmp1036.tmp.exe PID 2040 wrote to memory of 2480 2040 fc0ada1226b3666b5875cf6c4cbe07d8_JaffaCakes118.exe tmp1036.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc0ada1226b3666b5875cf6c4cbe07d8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc0ada1226b3666b5875cf6c4cbe07d8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dnmruxim.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10A5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc10A4.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp1036.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1036.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fc0ada1226b3666b5875cf6c4cbe07d8_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES10A5.tmpFilesize
1KB
MD5e9902f71988b0f5f0dd9413de72c51f6
SHA12717076fdcb158c5b88a0e0df9200f38ab824c34
SHA256713940c17e48810fedae53f7f9eb297977b40140481c6bc8dfe7023260c34cea
SHA512fc786070a397e5ab01ff42e3a289285cd63ba9db36974f6e1865c287c6473036629909d9905a34139ea1799f9e2b73c95468af90320c1937fef3c61be0b743e7
-
C:\Users\Admin\AppData\Local\Temp\dnmruxim.0.vbFilesize
14KB
MD5ace9badb8fd95c9e013763b2ef151666
SHA1d6c4f4ec2a2230220e67e82226e6961ee2bc677c
SHA2567816724c4bdde1dc426601d2b3c71263e7a324b579b169ce2ec51e5163b48e84
SHA5120c9f2fd3150cefdb0ceb76bb73f05e27eb43c0b8ce48c0b5c0d12b38c6ddef0913a085199223cad0b5eed5881497b739e4a8a28e3cc07ba86c881efc106ed55f
-
C:\Users\Admin\AppData\Local\Temp\dnmruxim.cmdlineFilesize
266B
MD5cfeea02d3166290c547ec0bc9c0f274d
SHA1dee352bef86c18f670193c2741196b0a7d8e27ac
SHA2564453fc646d01d701ee383daf9eb76e044affb48499ab3f889abef20e24cd818f
SHA512701d4ad7e5c0ac7e4fc94a344b70508067668da568ec0c8053d4a05650150db0e4a30dde2b3820b1acf090e2a6c63db96a6a3c19f77fd5f063576c135511a117
-
C:\Users\Admin\AppData\Local\Temp\tmp1036.tmp.exeFilesize
78KB
MD538a6fcf8ab554257914b04fa478d980f
SHA11b7b6664b28ed90db9066936dc18829b61d8b733
SHA2569210ea15f52fd941f651810f60faa0e29c648991f01cc166f2b34cebe03ccb77
SHA512141a10b6ce50176c7414159a7559c4b256956b4a102a88348937361c5fb70b080344d5cdad9c6d5db7ae40216da769995def9524f08f8a716d85598c8f678acc
-
C:\Users\Admin\AppData\Local\Temp\vbc10A4.tmpFilesize
660B
MD507da3782ea85d5b6086defa05696a07d
SHA1d05eaa42cea1b0d5834e2aa838b9958db5aaaf76
SHA2569e78275663dddd0efce0b18918f45f7d20590b6155802528dac9dc042c417a51
SHA5125c7649c0ddbd09f4b69be801400e5c7f8ab2f26cde88edd56045a333fb0041ac9a3d150b242846543277130b517bc49191f781644a831c22e0b98d5cb3f57603
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
memory/2040-22-0x0000000074A60000-0x000000007500B000-memory.dmpFilesize
5.7MB
-
memory/2040-1-0x0000000000B90000-0x0000000000BD0000-memory.dmpFilesize
256KB
-
memory/2040-0-0x0000000074A60000-0x000000007500B000-memory.dmpFilesize
5.7MB
-
memory/2040-2-0x0000000074A60000-0x000000007500B000-memory.dmpFilesize
5.7MB
-
memory/2480-23-0x0000000074A60000-0x000000007500B000-memory.dmpFilesize
5.7MB
-
memory/2480-24-0x0000000000970000-0x00000000009B0000-memory.dmpFilesize
256KB
-
memory/2480-25-0x0000000074A60000-0x000000007500B000-memory.dmpFilesize
5.7MB
-
memory/2480-27-0x0000000000970000-0x00000000009B0000-memory.dmpFilesize
256KB
-
memory/2480-28-0x0000000074A60000-0x000000007500B000-memory.dmpFilesize
5.7MB
-
memory/2480-29-0x0000000000970000-0x00000000009B0000-memory.dmpFilesize
256KB
-
memory/2480-30-0x0000000000970000-0x00000000009B0000-memory.dmpFilesize
256KB