Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 10:16
Static task
static1
Behavioral task
behavioral1
Sample
fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe
-
Size
78KB
-
MD5
fc878b59d0092c8c2bc7fc661594950d
-
SHA1
31ab99be8b4b77914a5992716126b59817b2ef57
-
SHA256
c0a69a814901d62d808843465e7f8b500e0b796a6a52aa464696f79345dafc9e
-
SHA512
606c5c7e3b64b27198d45ca5aabaeebc36955ab73698103aab4c5b5a257951d9b077c9b6523f5ebd92efae408fd763176137f068a8bed8c253404f2de4b72bf3
-
SSDEEP
1536:shPWV5jLXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt96m9/Qc1ST:wPWV5jLSyRxvY3md+dWWZyF9/QZ
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp253C.tmp.exepid process 2632 tmp253C.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exepid process 2756 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe 2756 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp253C.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp253C.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exetmp253C.tmp.exedescription pid process Token: SeDebugPrivilege 2756 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe Token: SeDebugPrivilege 2632 tmp253C.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exevbc.exedescription pid process target process PID 2756 wrote to memory of 1760 2756 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe vbc.exe PID 2756 wrote to memory of 1760 2756 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe vbc.exe PID 2756 wrote to memory of 1760 2756 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe vbc.exe PID 2756 wrote to memory of 1760 2756 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe vbc.exe PID 1760 wrote to memory of 2540 1760 vbc.exe cvtres.exe PID 1760 wrote to memory of 2540 1760 vbc.exe cvtres.exe PID 1760 wrote to memory of 2540 1760 vbc.exe cvtres.exe PID 1760 wrote to memory of 2540 1760 vbc.exe cvtres.exe PID 2756 wrote to memory of 2632 2756 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe tmp253C.tmp.exe PID 2756 wrote to memory of 2632 2756 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe tmp253C.tmp.exe PID 2756 wrote to memory of 2632 2756 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe tmp253C.tmp.exe PID 2756 wrote to memory of 2632 2756 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe tmp253C.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ethdv_wh.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25BA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc25B9.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp253C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp253C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES25BA.tmpFilesize
1KB
MD5d0ae624663298fda40a05a63b09273f3
SHA127f280ad23673a14e4359cc2be37ee030e70497f
SHA2561d070d88157e8db84c0f92dce24a0a79fd4fc66c20bb6e3d705226d7c9941fba
SHA5121bccc544b03ed7e7470a6828fb4bbd0d3d4912174d84116ce5f767cfe542b855b533af89983920af1c3986172db560eb82f220aa5f551146397c7586e7bc3a55
-
C:\Users\Admin\AppData\Local\Temp\ethdv_wh.0.vbFilesize
14KB
MD53367a6fd85c2f4b523072e242afb09eb
SHA1054672ef51b53d51d3e9fafba63cf9ec5cf67d4e
SHA256dc26cbc8563bfe2aca9b39260225c9b229652879b0a67017f2e8f29640a8470f
SHA512fbd26de9aa251113dae2e4c1ae9a107ebfde32d173136581cc5996ce2f1140d29a57146a77f4d0f318afc06d404f8f56d85d1a7097c6dae831986e5e8296a2ba
-
C:\Users\Admin\AppData\Local\Temp\ethdv_wh.cmdlineFilesize
266B
MD565d10ad4f6cf1be1b85a1a66b9ab9996
SHA165f622a158a9274db62c19b0a3b6297595a0a90b
SHA2563e14697e8184fd8ac6318b8ff17ef90b7ec8b6584fa49cada03c07bed4101ca0
SHA512fbaf2addb3c5b1ed2c5a6ea99055471719142062451b6c4b3147685647b46ccdee40d25286c16e9f9180156701f2285084fdefd0c471bd80215f76d476e30557
-
C:\Users\Admin\AppData\Local\Temp\tmp253C.tmp.exeFilesize
78KB
MD5218b554d0af51e1b16993336d4bddbec
SHA17aeb3b0eb975bf53f7a8b33a1cfa505b11873b5f
SHA256e7c06f502dc5326eb19ddc8bef60b60a49b6bfbe2e3d9ebca2a8132b60b523e0
SHA5124b90d449fba6115b57b0a60d21415b363b75d99a8ae61d15b3638b00efbe8ab1bcd706d97b096d59eee16cce81579b92b0a1484e66a00e413a2e176644244b2e
-
C:\Users\Admin\AppData\Local\Temp\vbc25B9.tmpFilesize
660B
MD5d8716070010d94df8858b5c03ef89f53
SHA15c7221d81282cc8be8ea567a73845e987da89048
SHA256b0a06e54f4e7cd328a7d5a0263c87ddbcac278586a98d47e06a56a1527c3379d
SHA5121b4c6a2824d8f48779e73eb496162a3a9210fc266adb28f3a17ce4617db05752224f22fb1369cb3b3bd8f9763aef36dc3d80b53f3e68475e3f8129352cfefb82
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107
-
memory/2632-24-0x00000000002A0000-0x00000000002E0000-memory.dmpFilesize
256KB
-
memory/2632-25-0x0000000074C50000-0x00000000751FB000-memory.dmpFilesize
5.7MB
-
memory/2632-26-0x0000000074C50000-0x00000000751FB000-memory.dmpFilesize
5.7MB
-
memory/2632-27-0x00000000002A0000-0x00000000002E0000-memory.dmpFilesize
256KB
-
memory/2632-29-0x00000000002A0000-0x00000000002E0000-memory.dmpFilesize
256KB
-
memory/2632-30-0x0000000074C50000-0x00000000751FB000-memory.dmpFilesize
5.7MB
-
memory/2756-2-0x0000000002000000-0x0000000002040000-memory.dmpFilesize
256KB
-
memory/2756-0-0x0000000074C50000-0x00000000751FB000-memory.dmpFilesize
5.7MB
-
memory/2756-21-0x0000000074C50000-0x00000000751FB000-memory.dmpFilesize
5.7MB
-
memory/2756-1-0x0000000074C50000-0x00000000751FB000-memory.dmpFilesize
5.7MB
-
memory/2756-28-0x0000000002000000-0x0000000002040000-memory.dmpFilesize
256KB