metamorpherrat | 748df5bb358f93dc0c92161ce8688f014f3037b5cea683a3fd46383039aed5fd

General

Target

fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe
Size

78KB
MD5

fc26984cf509bab2d3cb2b181746164b
SHA1

4afd7471d736b3aa5f5f56dfcc2051cdca654451
SHA256

748df5bb358f93dc0c92161ce8688f014f3037b5cea683a3fd46383039aed5fd
SHA512

46292e9d8b9a551f6afe8f033bf8feebbfbe19203d3c1da681e278ffd7e3b67af02ce21802fe99f9ba5bd69d6231591fd3eb225c67a6845d60f4e404b36eb31a
SSDEEP

1536:eHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtk9/s210A:eHFon3xSyRxvY3md+dWWZyk9/f

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
3220	tmp3662.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3220	tmp3662.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp3662.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe
Token: SeDebugPrivilege	3220	tmp3662.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 3556	2252	fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe	86
PID 2252 wrote to memory of 3556	2252	fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe	86
PID 2252 wrote to memory of 3556	2252	fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe	86
PID 3556 wrote to memory of 3516	3556	vbc.exe	88
PID 3556 wrote to memory of 3516	3556	vbc.exe	88
PID 3556 wrote to memory of 3516	3556	vbc.exe	88
PID 2252 wrote to memory of 3220	2252	fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe	90
PID 2252 wrote to memory of 3220	2252	fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe	90
PID 2252 wrote to memory of 3220	2252	fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oa0jvyc3.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES373C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB67109073A394315A721FE908A5F3D9D.TMP"
    3⤵
    PID:3516
- C:\Users\Admin\AppData\Local\Temp\tmp3662.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3662.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES373C.tmp

Filesize
1KB

MD5
8e73ffbabd01e308927f7bcf723ea5e6

SHA1
ee3d60a174de7947785bb35ba62a602afee5452b

SHA256
e16bc75de4f9ff03ab0ea38e5e429830dba45bb12b3a6fcea3d628520300f0c4

SHA512
6ae39f863c6ba7e8aacddafeec9fdd830f24af3a9571a78baaf2a15bec9455637c721c51c1a4cffd7b0fb719dacc486f803af0c0b0abcc7440afdb9fa0908f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\oa0jvyc3.0.vb

Filesize
15KB

MD5
c14a8cb235da3c77ec5ed439d4eb0d39

SHA1
f72934e96778180b3763e3346231c95083aef47f

SHA256
ca7328d66d39c06ae4c6b7a72689cb1bb1b42f200c1f01fd6eb769373bed22dc

SHA512
a9ac6456f4fd9a214c9fa528b59540f5bb0ff5592a5cf815db4d196b16fb646e795d73b94803ece8b12cfe65054cefcaff25cf9baadd41c10d86a6a532ca97fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\oa0jvyc3.cmdline

Filesize
266B

MD5
235a0ef4b02d4ef9ff7e1a6ca460ac75

SHA1
b6b52dc9f47a6ed6685b14bfce1ba7f05f1cacf9

SHA256
3121332d36aac293d31a4bf60bccca52a40de4b37970b58a83feeea5054c265c

SHA512
421fd9915ceee01c5660b653ba7a9233ef4a81c934c665d97bd12be6b4295ba96b7804bbeca6b761067f0dbfd580e99cc408d199ee90bb2bd81177e6220596b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3662.tmp.exe

Filesize
78KB

MD5
b913e9b336cf60b9b090ebe2104959e3

SHA1
b30adfa1c8b559b0dcec21a10d0e0efa2cf85595

SHA256
22c83b81bdba61f8121af640b1a827709312383f23e64bf254ca7a7eeef05a28

SHA512
01b141b3130d53b0bf457ce3d768c7ebe276316a697f08e385b57228c7b43e8b67aa0fe9637798a2233474bf7f43075bc9f21fa4376ea7498bbbcce63597a569

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB67109073A394315A721FE908A5F3D9D.TMP

Filesize
660B

MD5
b1553496892911a4a27d2ba942515085

SHA1
bea09ae3f3e67188041574d75d2e23daeeba5499

SHA256
28cd7862342a930af8325e878bac1a6b9c4317c41ee672695187a2f33bd40f87

SHA512
c287f50401ff863aa4e78d9cf0d2dd6da0ba6b1bc05777c7984239f3f9f1976d162d7569453a7d465de74aa2c823d6d69e22fda6d24d9f57febefa3b84baab20

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2252-2-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download
memory/2252-1-0x0000000000630000-0x0000000000640000-memory.dmp

Filesize
64KB

Download
memory/2252-0-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download
memory/2252-20-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download
memory/3220-21-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download
memory/3220-22-0x0000000001A30000-0x0000000001A40000-memory.dmp

Filesize
64KB

Download
memory/3220-23-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download
memory/3220-25-0x0000000001A30000-0x0000000001A40000-memory.dmp

Filesize
64KB

Download
memory/3220-26-0x0000000074C20000-0x00000000751D1000-memory.dmp

Filesize
5.7MB

Download
memory/3220-27-0x0000000001A30000-0x0000000001A40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads