metamorpherrat | c0a69a814901d62d808843465e7f8b500e0b796a6a52aa464696f79345dafc9e

General

Target

fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe
Size

78KB
MD5

fc878b59d0092c8c2bc7fc661594950d
SHA1

31ab99be8b4b77914a5992716126b59817b2ef57
SHA256

c0a69a814901d62d808843465e7f8b500e0b796a6a52aa464696f79345dafc9e
SHA512

606c5c7e3b64b27198d45ca5aabaeebc36955ab73698103aab4c5b5a257951d9b077c9b6523f5ebd92efae408fd763176137f068a8bed8c253404f2de4b72bf3
SSDEEP

1536:shPWV5jLXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt96m9/Qc1ST:wPWV5jLSyRxvY3md+dWWZyF9/QZ

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp253C.tmp.exe

pid process

2632 tmp253C.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe

pid process

2756 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe
2756 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2632	tmp253C.tmp.exe

pid	process
2756	fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe
2756	fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp253C.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp253C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exetmp253C.tmp.exe

description pid process

Token: SeDebugPrivilege 2756 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe
Token: SeDebugPrivilege 2632 tmp253C.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2756	fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe
Token: SeDebugPrivilege	2632	tmp253C.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exevbc.exe

description	pid	process	target process
PID 2756 wrote to memory of 1760	2756	fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe	vbc.exe
PID 2756 wrote to memory of 1760	2756	fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe	vbc.exe
PID 2756 wrote to memory of 1760	2756	fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe	vbc.exe
PID 2756 wrote to memory of 1760	2756	fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe	vbc.exe
PID 1760 wrote to memory of 2540	1760	vbc.exe	cvtres.exe
PID 1760 wrote to memory of 2540	1760	vbc.exe	cvtres.exe
PID 1760 wrote to memory of 2540	1760	vbc.exe	cvtres.exe
PID 1760 wrote to memory of 2540	1760	vbc.exe	cvtres.exe
PID 2756 wrote to memory of 2632	2756	fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe	tmp253C.tmp.exe
PID 2756 wrote to memory of 2632	2756	fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe	tmp253C.tmp.exe
PID 2756 wrote to memory of 2632	2756	fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe	tmp253C.tmp.exe
PID 2756 wrote to memory of 2632	2756	fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe	tmp253C.tmp.exe

C:\Users\Admin\AppData\Local\Temp\fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ethdv_wh.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25BA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc25B9.tmp"
3⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\tmp253C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp253C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2632

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES25BA.tmp
Filesize
1KB

MD5
d0ae624663298fda40a05a63b09273f3

SHA1
27f280ad23673a14e4359cc2be37ee030e70497f

SHA256
1d070d88157e8db84c0f92dce24a0a79fd4fc66c20bb6e3d705226d7c9941fba

SHA512
1bccc544b03ed7e7470a6828fb4bbd0d3d4912174d84116ce5f767cfe542b855b533af89983920af1c3986172db560eb82f220aa5f551146397c7586e7bc3a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\ethdv_wh.0.vb
Filesize
14KB

MD5
3367a6fd85c2f4b523072e242afb09eb

SHA1
054672ef51b53d51d3e9fafba63cf9ec5cf67d4e

SHA256
dc26cbc8563bfe2aca9b39260225c9b229652879b0a67017f2e8f29640a8470f

SHA512
fbd26de9aa251113dae2e4c1ae9a107ebfde32d173136581cc5996ce2f1140d29a57146a77f4d0f318afc06d404f8f56d85d1a7097c6dae831986e5e8296a2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ethdv_wh.cmdline
Filesize
266B

MD5
65d10ad4f6cf1be1b85a1a66b9ab9996

SHA1
65f622a158a9274db62c19b0a3b6297595a0a90b

SHA256
3e14697e8184fd8ac6318b8ff17ef90b7ec8b6584fa49cada03c07bed4101ca0

SHA512
fbaf2addb3c5b1ed2c5a6ea99055471719142062451b6c4b3147685647b46ccdee40d25286c16e9f9180156701f2285084fdefd0c471bd80215f76d476e30557

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp253C.tmp.exe
Filesize
78KB

MD5
218b554d0af51e1b16993336d4bddbec

SHA1
7aeb3b0eb975bf53f7a8b33a1cfa505b11873b5f

SHA256
e7c06f502dc5326eb19ddc8bef60b60a49b6bfbe2e3d9ebca2a8132b60b523e0

SHA512
4b90d449fba6115b57b0a60d21415b363b75d99a8ae61d15b3638b00efbe8ab1bcd706d97b096d59eee16cce81579b92b0a1484e66a00e413a2e176644244b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc25B9.tmp
Filesize
660B

MD5
d8716070010d94df8858b5c03ef89f53

SHA1
5c7221d81282cc8be8ea567a73845e987da89048

SHA256
b0a06e54f4e7cd328a7d5a0263c87ddbcac278586a98d47e06a56a1527c3379d

SHA512
1b4c6a2824d8f48779e73eb496162a3a9210fc266adb28f3a17ce4617db05752224f22fb1369cb3b3bd8f9763aef36dc3d80b53f3e68475e3f8129352cfefb82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2632-24-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2632-25-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/2632-26-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/2632-27-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2632-29-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2632-30-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/2756-2-0x0000000002000000-0x0000000002040000-memory.dmp

Filesize
256KB

Download
memory/2756-0-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/2756-21-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/2756-1-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/2756-28-0x0000000002000000-0x0000000002040000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads