Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 14:44
Static task
static1
Behavioral task
behavioral1
Sample
fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe
-
Size
78KB
-
MD5
fcffb4ce16c89877980e21fd9e6bf210
-
SHA1
e5ca389588a27d36979c1e9b4a71baab28808ff3
-
SHA256
5306838a2fb211bb013a385545077a0154f1c55175ab5c75cc92a44da17c644d
-
SHA512
101e7a0a3bb8ce0a69f45a73d6116027715db9b97e681c0f023256eeb493936010f7319acbf5c9093db09e06ac38b0e28f8bf872ce72a6493672752dfb6abe3f
-
SSDEEP
1536:UtHHrdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtPk9/cr1aM:UtHLdSE2EwR4uY41HyvYPk9/u
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
tmp4055.tmp.exepid process 3444 tmp4055.tmp.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp4055.tmp.exepid process 3444 tmp4055.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp4055.tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmp4055.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exetmp4055.tmp.exedescription pid process Token: SeDebugPrivilege 3276 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe Token: SeDebugPrivilege 3444 tmp4055.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exevbc.exedescription pid process target process PID 3276 wrote to memory of 932 3276 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe vbc.exe PID 3276 wrote to memory of 932 3276 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe vbc.exe PID 3276 wrote to memory of 932 3276 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe vbc.exe PID 932 wrote to memory of 4988 932 vbc.exe cvtres.exe PID 932 wrote to memory of 4988 932 vbc.exe cvtres.exe PID 932 wrote to memory of 4988 932 vbc.exe cvtres.exe PID 3276 wrote to memory of 3444 3276 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe tmp4055.tmp.exe PID 3276 wrote to memory of 3444 3276 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe tmp4055.tmp.exe PID 3276 wrote to memory of 3444 3276 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe tmp4055.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\opztbgs_.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES413F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF011A55AC4814B729B0C57ADF84D67.TMP"3⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\tmp4055.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4055.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES413F.tmpFilesize
1KB
MD5e1592f73d13d1ebe77ffd660ba2446c7
SHA10ff9251cd4a1b5a41ecc0b1d12f0caddebd40f3b
SHA25684faf825df65ed771c63f95b46a62c4344cf06a77bcc9c51a4692fc19bfa1d4e
SHA5125b643ef162ce642f0ccf0bb7a7a6f9a5b66a66e3f4dfb3c04bf6a07b03b55b53c9aca42185d4260fe3d327a79dd3f8b52b605a676ff290abffb82309f9462724
-
C:\Users\Admin\AppData\Local\Temp\opztbgs_.0.vbFilesize
15KB
MD5e18710d60afe6585b6f9d1d6be636152
SHA1f25c1673dbc126416a3084abfe22757bf961411b
SHA25695738f52d0c8facb7db80f3800ce5bafddfa4cce89daa502cdabced319b32c04
SHA512e5c825812c71fea2c3f4f8796476c9b259bfe7709adc8a89ecc63b74749bb9b424f66fc5c95d569e1d165c9bcb7127e4aded652a12cc7fd1dc3bb256c04ad04b
-
C:\Users\Admin\AppData\Local\Temp\opztbgs_.cmdlineFilesize
266B
MD5e98b178975e6da823692ea570c54bdf4
SHA16fab0e25d3d2406ef158f9fc196c1de0596f7095
SHA25607b2ba5951a09133f6b4bed6e558742823a718dbd09b9e9dd3d8d5674bc69cc7
SHA51279d0035f8a249ee75e7e7ce840cde5a3a35991dafe1fe76fd1d6ac799ac97823521c74110a9083ef80725c8665364176e538421581d86b38daf633c47eeb2e59
-
C:\Users\Admin\AppData\Local\Temp\tmp4055.tmp.exeFilesize
78KB
MD544e43eb0796442efdce4af0e36c1b0fe
SHA10176d024f376dd0da871e7e920afddd814a02fb0
SHA256c89f07daec8bd9dd42aa2f619e019b9bc76f208aa720f69a7e048e990e19b6e3
SHA5129f9e313a7b4464047f43cb4f6d2c34b58b3a29032f3e5d8420cfb9ad5756b9f71809611a3a713e1ec5496c2dc2eee7c3294f601a9637cdf86814727303dc24b3
-
C:\Users\Admin\AppData\Local\Temp\vbcF011A55AC4814B729B0C57ADF84D67.TMPFilesize
660B
MD5b2fd489509397dc32a83270bab2b4e4b
SHA158ea9be226346e4f578088c6a5f38493618454d1
SHA25690a84e2bbfbb722054fcfda2ef9c3d270d67b780a64deedf22d10b9170dcf5b8
SHA512fb7e387c0113061d71ade8748a7d422eac246187b15b01fc5b2a9bf9272bcaff87ef40ded086c11bbc4fe33b1bbe3a2635c53a27cb3f1bb88de2ee176a072f1d
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809
-
memory/932-8-0x0000000000A30000-0x0000000000A40000-memory.dmpFilesize
64KB
-
memory/3276-0-0x0000000075430000-0x00000000759E1000-memory.dmpFilesize
5.7MB
-
memory/3276-2-0x0000000000A40000-0x0000000000A50000-memory.dmpFilesize
64KB
-
memory/3276-1-0x0000000075430000-0x00000000759E1000-memory.dmpFilesize
5.7MB
-
memory/3276-21-0x0000000075430000-0x00000000759E1000-memory.dmpFilesize
5.7MB
-
memory/3444-22-0x0000000075430000-0x00000000759E1000-memory.dmpFilesize
5.7MB
-
memory/3444-23-0x00000000012A0000-0x00000000012B0000-memory.dmpFilesize
64KB
-
memory/3444-24-0x0000000075430000-0x00000000759E1000-memory.dmpFilesize
5.7MB
-
memory/3444-26-0x00000000012A0000-0x00000000012B0000-memory.dmpFilesize
64KB
-
memory/3444-27-0x0000000075430000-0x00000000759E1000-memory.dmpFilesize
5.7MB
-
memory/3444-28-0x00000000012A0000-0x00000000012B0000-memory.dmpFilesize
64KB
-
memory/3444-29-0x00000000012A0000-0x00000000012B0000-memory.dmpFilesize
64KB