Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 10:16
Static task
static1
Behavioral task
behavioral1
Sample
fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe
-
Size
78KB
-
MD5
fc878b59d0092c8c2bc7fc661594950d
-
SHA1
31ab99be8b4b77914a5992716126b59817b2ef57
-
SHA256
c0a69a814901d62d808843465e7f8b500e0b796a6a52aa464696f79345dafc9e
-
SHA512
606c5c7e3b64b27198d45ca5aabaeebc36955ab73698103aab4c5b5a257951d9b077c9b6523f5ebd92efae408fd763176137f068a8bed8c253404f2de4b72bf3
-
SSDEEP
1536:shPWV5jLXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt96m9/Qc1ST:wPWV5jLSyRxvY3md+dWWZyF9/QZ
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp3028.tmp.exepid process 5000 tmp3028.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp3028.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp3028.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exetmp3028.tmp.exedescription pid process Token: SeDebugPrivilege 4804 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe Token: SeDebugPrivilege 5000 tmp3028.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exevbc.exedescription pid process target process PID 4804 wrote to memory of 4360 4804 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe vbc.exe PID 4804 wrote to memory of 4360 4804 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe vbc.exe PID 4804 wrote to memory of 4360 4804 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe vbc.exe PID 4360 wrote to memory of 1500 4360 vbc.exe cvtres.exe PID 4360 wrote to memory of 1500 4360 vbc.exe cvtres.exe PID 4360 wrote to memory of 1500 4360 vbc.exe cvtres.exe PID 4804 wrote to memory of 5000 4804 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe tmp3028.tmp.exe PID 4804 wrote to memory of 5000 4804 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe tmp3028.tmp.exe PID 4804 wrote to memory of 5000 4804 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe tmp3028.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iz4suvu4.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30D4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc83D0CB069390438AA614A57F4EE37B5D.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp3028.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3028.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES30D4.tmpFilesize
1KB
MD5f399323e54b9ed3e0b4b315c94a15e18
SHA1d88a78e17bccc7cc678b35de5ba6872cac720140
SHA256a94b947e6a1a658000c4d326f8125b5e3ae30ba3fcf7a1700c627511483fdd99
SHA5127e9fe317cd83cf7d413cbd42ce8584b16386d819985dcdea575ca0217eaa496e11aa1d729a5cd1f19da7370b4427f43307f29bb947cdcff44972f6b5d56833ed
-
C:\Users\Admin\AppData\Local\Temp\iz4suvu4.0.vbFilesize
14KB
MD5bc45b38669845a894d8f07342d86e7b7
SHA1534e0ad60e89105cdd7926645cf37f944ba09ccd
SHA256f49ea6983b3bc48476d29832c9fb9677386b32c2acd1f42b228cb493396f7320
SHA5124efd5694b2e2d3a20ec134ed1977fad41e01f68978bee6804ed91161a491709caa5a628af0156f476897fed3520100409ecb2e73708484c53e50e2f5170ee795
-
C:\Users\Admin\AppData\Local\Temp\iz4suvu4.cmdlineFilesize
266B
MD59e0ea8fe4497a12616ab6304be9fd62c
SHA1f4c98a2326b79768071aff0add63de786dd7d049
SHA2565e78da5d6156ad56c014937e13bcd60010807233e731a0a75cc0f1163a57ab96
SHA512f2ba4d4061d33378ba46be823fa89e5432a3f373b334893cf7df44941148ba13f7ca8cdeee9b7ab845e4c8157d23de849fe1b2e30de3644e1824a61221521e77
-
C:\Users\Admin\AppData\Local\Temp\tmp3028.tmp.exeFilesize
78KB
MD5494c210c50c1a2d384b27270c9cc7c1c
SHA10b585c36bd15979cfdc07bfe9b69e4e633280ddf
SHA2568241d0596127a0dc9ab34901767423c1b5ee9108da978794569392c2d5ffd959
SHA512cba829f79b7e056051dab4cd687be5f1e8d540bb15da5fa1b49a18eb9ae976eafa69c377e8bead739a7fbcf57ea58230daf224071c0f5aee856980c700d8b8a8
-
C:\Users\Admin\AppData\Local\Temp\vbc83D0CB069390438AA614A57F4EE37B5D.TMPFilesize
660B
MD5b41271be20342511274f710d12daf11e
SHA1574435ae01389329c38cc82339612487e0383653
SHA25641f2e2cf12e3547c75e95a167250a3305ebb39c09373a8d1fb6a75cd87c0a421
SHA5125b9eb23f4763eada967278548a96b95f1d32292c6dd332c02cc4fe76fe5035a127985e91564d0c6d91c598b5e485773c1969a8c73c1f22007729d300b000f084
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107
-
memory/4360-8-0x00000000024E0000-0x00000000024F0000-memory.dmpFilesize
64KB
-
memory/4804-0-0x0000000075050000-0x0000000075601000-memory.dmpFilesize
5.7MB
-
memory/4804-2-0x0000000075050000-0x0000000075601000-memory.dmpFilesize
5.7MB
-
memory/4804-1-0x0000000000B80000-0x0000000000B90000-memory.dmpFilesize
64KB
-
memory/4804-21-0x0000000075050000-0x0000000075601000-memory.dmpFilesize
5.7MB
-
memory/5000-22-0x0000000075050000-0x0000000075601000-memory.dmpFilesize
5.7MB
-
memory/5000-23-0x0000000000ED0000-0x0000000000EE0000-memory.dmpFilesize
64KB
-
memory/5000-24-0x0000000075050000-0x0000000075601000-memory.dmpFilesize
5.7MB
-
memory/5000-26-0x0000000000ED0000-0x0000000000EE0000-memory.dmpFilesize
64KB
-
memory/5000-27-0x0000000075050000-0x0000000075601000-memory.dmpFilesize
5.7MB
-
memory/5000-28-0x0000000000ED0000-0x0000000000EE0000-memory.dmpFilesize
64KB
-
memory/5000-29-0x0000000000ED0000-0x0000000000EE0000-memory.dmpFilesize
64KB