metamorpherrat | c0a69a814901d62d808843465e7f8b500e0b796a6a52aa464696f79345dafc9e

General

Target

fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe
Size

78KB
MD5

fc878b59d0092c8c2bc7fc661594950d
SHA1

31ab99be8b4b77914a5992716126b59817b2ef57
SHA256

c0a69a814901d62d808843465e7f8b500e0b796a6a52aa464696f79345dafc9e
SHA512

606c5c7e3b64b27198d45ca5aabaeebc36955ab73698103aab4c5b5a257951d9b077c9b6523f5ebd92efae408fd763176137f068a8bed8c253404f2de4b72bf3
SSDEEP

1536:shPWV5jLXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt96m9/Qc1ST:wPWV5jLSyRxvY3md+dWWZyF9/QZ

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

tmp3028.tmp.exe

pid process

5000 tmp3028.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
5000	tmp3028.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp3028.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp3028.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exetmp3028.tmp.exe

description pid process

Token: SeDebugPrivilege 4804 fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe
Token: SeDebugPrivilege 5000 tmp3028.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4804	fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe
Token: SeDebugPrivilege	5000	tmp3028.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exevbc.exe

description	pid	process	target process
PID 4804 wrote to memory of 4360	4804	fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe	vbc.exe
PID 4804 wrote to memory of 4360	4804	fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe	vbc.exe
PID 4804 wrote to memory of 4360	4804	fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe	vbc.exe
PID 4360 wrote to memory of 1500	4360	vbc.exe	cvtres.exe
PID 4360 wrote to memory of 1500	4360	vbc.exe	cvtres.exe
PID 4360 wrote to memory of 1500	4360	vbc.exe	cvtres.exe
PID 4804 wrote to memory of 5000	4804	fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe	tmp3028.tmp.exe
PID 4804 wrote to memory of 5000	4804	fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe	tmp3028.tmp.exe
PID 4804 wrote to memory of 5000	4804	fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe	tmp3028.tmp.exe

C:\Users\Admin\AppData\Local\Temp\fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iz4suvu4.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30D4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc83D0CB069390438AA614A57F4EE37B5D.TMP"
3⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\tmp3028.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3028.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fc878b59d0092c8c2bc7fc661594950d_JaffaCakes118.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5000

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES30D4.tmp
Filesize
1KB

MD5
f399323e54b9ed3e0b4b315c94a15e18

SHA1
d88a78e17bccc7cc678b35de5ba6872cac720140

SHA256
a94b947e6a1a658000c4d326f8125b5e3ae30ba3fcf7a1700c627511483fdd99

SHA512
7e9fe317cd83cf7d413cbd42ce8584b16386d819985dcdea575ca0217eaa496e11aa1d729a5cd1f19da7370b4427f43307f29bb947cdcff44972f6b5d56833ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\iz4suvu4.0.vb
Filesize
14KB

MD5
bc45b38669845a894d8f07342d86e7b7

SHA1
534e0ad60e89105cdd7926645cf37f944ba09ccd

SHA256
f49ea6983b3bc48476d29832c9fb9677386b32c2acd1f42b228cb493396f7320

SHA512
4efd5694b2e2d3a20ec134ed1977fad41e01f68978bee6804ed91161a491709caa5a628af0156f476897fed3520100409ecb2e73708484c53e50e2f5170ee795

Download Submit
C:\Users\Admin\AppData\Local\Temp\iz4suvu4.cmdline
Filesize
266B

MD5
9e0ea8fe4497a12616ab6304be9fd62c

SHA1
f4c98a2326b79768071aff0add63de786dd7d049

SHA256
5e78da5d6156ad56c014937e13bcd60010807233e731a0a75cc0f1163a57ab96

SHA512
f2ba4d4061d33378ba46be823fa89e5432a3f373b334893cf7df44941148ba13f7ca8cdeee9b7ab845e4c8157d23de849fe1b2e30de3644e1824a61221521e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3028.tmp.exe
Filesize
78KB

MD5
494c210c50c1a2d384b27270c9cc7c1c

SHA1
0b585c36bd15979cfdc07bfe9b69e4e633280ddf

SHA256
8241d0596127a0dc9ab34901767423c1b5ee9108da978794569392c2d5ffd959

SHA512
cba829f79b7e056051dab4cd687be5f1e8d540bb15da5fa1b49a18eb9ae976eafa69c377e8bead739a7fbcf57ea58230daf224071c0f5aee856980c700d8b8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc83D0CB069390438AA614A57F4EE37B5D.TMP
Filesize
660B

MD5
b41271be20342511274f710d12daf11e

SHA1
574435ae01389329c38cc82339612487e0383653

SHA256
41f2e2cf12e3547c75e95a167250a3305ebb39c09373a8d1fb6a75cd87c0a421

SHA512
5b9eb23f4763eada967278548a96b95f1d32292c6dd332c02cc4fe76fe5035a127985e91564d0c6d91c598b5e485773c1969a8c73c1f22007729d300b000f084

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/4360-8-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/4804-0-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/4804-2-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/4804-1-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/4804-21-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/5000-22-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/5000-23-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

Filesize
64KB

Download
memory/5000-24-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/5000-26-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

Filesize
64KB

Download
memory/5000-27-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/5000-28-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

Filesize
64KB

Download
memory/5000-29-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads