metamorpherrat | 748df5bb358f93dc0c92161ce8688f014f3037b5cea683a3fd46383039aed5fd

General

Target

fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe
Size

78KB
MD5

fc26984cf509bab2d3cb2b181746164b
SHA1

4afd7471d736b3aa5f5f56dfcc2051cdca654451
SHA256

748df5bb358f93dc0c92161ce8688f014f3037b5cea683a3fd46383039aed5fd
SHA512

46292e9d8b9a551f6afe8f033bf8feebbfbe19203d3c1da681e278ffd7e3b67af02ce21802fe99f9ba5bd69d6231591fd3eb225c67a6845d60f4e404b36eb31a
SSDEEP

1536:eHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtk9/s210A:eHFon3xSyRxvY3md+dWWZyk9/f

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2612	tmp254C.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2012	fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe
2012	fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp254C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe
Token: SeDebugPrivilege	2612	tmp254C.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1248	2012	fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe	28
PID 2012 wrote to memory of 1248	2012	fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe	28
PID 2012 wrote to memory of 1248	2012	fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe	28
PID 2012 wrote to memory of 1248	2012	fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe	28
PID 1248 wrote to memory of 2524	1248	vbc.exe	30
PID 1248 wrote to memory of 2524	1248	vbc.exe	30
PID 1248 wrote to memory of 2524	1248	vbc.exe	30
PID 1248 wrote to memory of 2524	1248	vbc.exe	30
PID 2012 wrote to memory of 2612	2012	fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe	31
PID 2012 wrote to memory of 2612	2012	fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe	31
PID 2012 wrote to memory of 2612	2012	fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe	31
PID 2012 wrote to memory of 2612	2012	fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n2pd3iey.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25D9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc25D8.tmp"
    3⤵
    PID:2524
- C:\Users\Admin\AppData\Local\Temp\tmp254C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp254C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES25D9.tmp

Filesize
1KB

MD5
d9561765b7b26f7c6d29087d0913225e

SHA1
b70d220d5a103ccdca65c11db27558e5af3d51d0

SHA256
d64f3cdab74c3907500e56677756c84714f358dea12a659add11cdfa73fb2463

SHA512
d5516789cdcd60e96507dadbe02c649ac74d9cf13db8faa0d9359b4eb1c9e55c088e23a95bc3009b16edf5c10fc3412848db510cbd6574f16eb1f1717c9c8bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\n2pd3iey.0.vb

Filesize
15KB

MD5
553aa445b239428cbf6b5811090859dc

SHA1
700203c77108a033e851bb6b21e60c2dcc1ae037

SHA256
2c33689bf61e1f7338533b64229e733e60df4cbb7b474a15c25ad4e7909c8962

SHA512
5ba2e3f2506885ed49b3b32535d9c3327c17f3c8fb8da60cc282570659cc6af01ff8d3a17db90a407d2e8ce91234649f3a040778b9e1da432cd77bde51d5a00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\n2pd3iey.cmdline

Filesize
266B

MD5
0e5261753b4a31fd981b463b4d9c576b

SHA1
0942b2851a2174d0e0d83bbd16daa29d41392b63

SHA256
c0f655b1b9fee1fb6028cf1dc6076636535fd9c0ecdbea5e69823a97d4900ef5

SHA512
d9c74fd1bae10d89b84d5b0033725cdf331332bbd57a46d2d3494c1e925243cdb228061e591ab8acc4051dfd931f3b5443bdb1855b0e4a2e28077d15982fcd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp254C.tmp.exe

Filesize
78KB

MD5
39d38c5fd4f256dcaaae28fcf6e58385

SHA1
4d2f5963c8975c08a6d0e6dbe7423172a25a22e9

SHA256
df90bbd2f86f463ce860208bd0f724b58fc9e9f8d474bd6748c26b7df968254f

SHA512
59aafa99bec692be00bfc1f555010130904aae7427d1acc6d81ff6f3ba54ce8f14035d05fb0ed7bc5259c98c488080fb7f71daeb0dd5094edcc21403b6684700

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc25D8.tmp

Filesize
660B

MD5
39aba9fa0983975ca634e217b543c1c4

SHA1
763931d853391b349bced38865e3c3635a7d5816

SHA256
fdb40f0d3ad138218490eacc0c2951b5fab23f399cd5cd6fb1ce38e880f43796

SHA512
a8317e31ab4ed4bd6c5cb9b25bedd90b643e0f91da381a083c77ea9daa67106a2508d293e45759cbeb6f012e3fb71ccb5f302254bc0b2b3e14bfa53cf3894ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2012-1-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2012-2-0x0000000000A30000-0x0000000000A70000-memory.dmp

Filesize
256KB

Download
memory/2012-0-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2012-22-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2612-23-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2612-25-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2612-24-0x0000000002130000-0x0000000002170000-memory.dmp

Filesize
256KB

Download
memory/2612-27-0x0000000002130000-0x0000000002170000-memory.dmp

Filesize
256KB

Download
memory/2612-29-0x0000000002130000-0x0000000002170000-memory.dmp

Filesize
256KB

Download
memory/2612-28-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads