metamorpherrat | 5306838a2fb211bb013a385545077a0154f1c55175ab5c75cc92a44da17c644d

General

Target

fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe
Size

78KB
MD5

fcffb4ce16c89877980e21fd9e6bf210
SHA1

e5ca389588a27d36979c1e9b4a71baab28808ff3
SHA256

5306838a2fb211bb013a385545077a0154f1c55175ab5c75cc92a44da17c644d
SHA512

101e7a0a3bb8ce0a69f45a73d6116027715db9b97e681c0f023256eeb493936010f7319acbf5c9093db09e06ac38b0e28f8bf872ce72a6493672752dfb6abe3f
SSDEEP

1536:UtHHrdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtPk9/cr1aM:UtHLdSE2EwR4uY41HyvYPk9/u

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

tmp4055.tmp.exe

pid process

3444 tmp4055.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp4055.tmp.exe

pid process

3444 tmp4055.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3444	tmp4055.tmp.exe

pid	process
3444	tmp4055.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp4055.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp4055.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exetmp4055.tmp.exe

description pid process

Token: SeDebugPrivilege 3276 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe
Token: SeDebugPrivilege 3444 tmp4055.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3276	fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe
Token: SeDebugPrivilege	3444	tmp4055.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exevbc.exe

description	pid	process	target process
PID 3276 wrote to memory of 932	3276	fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe	vbc.exe
PID 3276 wrote to memory of 932	3276	fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe	vbc.exe
PID 3276 wrote to memory of 932	3276	fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe	vbc.exe
PID 932 wrote to memory of 4988	932	vbc.exe	cvtres.exe
PID 932 wrote to memory of 4988	932	vbc.exe	cvtres.exe
PID 932 wrote to memory of 4988	932	vbc.exe	cvtres.exe
PID 3276 wrote to memory of 3444	3276	fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe	tmp4055.tmp.exe
PID 3276 wrote to memory of 3444	3276	fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe	tmp4055.tmp.exe
PID 3276 wrote to memory of 3444	3276	fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe	tmp4055.tmp.exe

C:\Users\Admin\AppData\Local\Temp\fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\opztbgs_.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES413F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF011A55AC4814B729B0C57ADF84D67.TMP"
3⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\tmp4055.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4055.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES413F.tmp
Filesize
1KB

MD5
e1592f73d13d1ebe77ffd660ba2446c7

SHA1
0ff9251cd4a1b5a41ecc0b1d12f0caddebd40f3b

SHA256
84faf825df65ed771c63f95b46a62c4344cf06a77bcc9c51a4692fc19bfa1d4e

SHA512
5b643ef162ce642f0ccf0bb7a7a6f9a5b66a66e3f4dfb3c04bf6a07b03b55b53c9aca42185d4260fe3d327a79dd3f8b52b605a676ff290abffb82309f9462724

Download Submit
C:\Users\Admin\AppData\Local\Temp\opztbgs_.0.vb
Filesize
15KB

MD5
e18710d60afe6585b6f9d1d6be636152

SHA1
f25c1673dbc126416a3084abfe22757bf961411b

SHA256
95738f52d0c8facb7db80f3800ce5bafddfa4cce89daa502cdabced319b32c04

SHA512
e5c825812c71fea2c3f4f8796476c9b259bfe7709adc8a89ecc63b74749bb9b424f66fc5c95d569e1d165c9bcb7127e4aded652a12cc7fd1dc3bb256c04ad04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\opztbgs_.cmdline
Filesize
266B

MD5
e98b178975e6da823692ea570c54bdf4

SHA1
6fab0e25d3d2406ef158f9fc196c1de0596f7095

SHA256
07b2ba5951a09133f6b4bed6e558742823a718dbd09b9e9dd3d8d5674bc69cc7

SHA512
79d0035f8a249ee75e7e7ce840cde5a3a35991dafe1fe76fd1d6ac799ac97823521c74110a9083ef80725c8665364176e538421581d86b38daf633c47eeb2e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4055.tmp.exe
Filesize
78KB

MD5
44e43eb0796442efdce4af0e36c1b0fe

SHA1
0176d024f376dd0da871e7e920afddd814a02fb0

SHA256
c89f07daec8bd9dd42aa2f619e019b9bc76f208aa720f69a7e048e990e19b6e3

SHA512
9f9e313a7b4464047f43cb4f6d2c34b58b3a29032f3e5d8420cfb9ad5756b9f71809611a3a713e1ec5496c2dc2eee7c3294f601a9637cdf86814727303dc24b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF011A55AC4814B729B0C57ADF84D67.TMP
Filesize
660B

MD5
b2fd489509397dc32a83270bab2b4e4b

SHA1
58ea9be226346e4f578088c6a5f38493618454d1

SHA256
90a84e2bbfbb722054fcfda2ef9c3d270d67b780a64deedf22d10b9170dcf5b8

SHA512
fb7e387c0113061d71ade8748a7d422eac246187b15b01fc5b2a9bf9272bcaff87ef40ded086c11bbc4fe33b1bbe3a2635c53a27cb3f1bb88de2ee176a072f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/932-8-0x0000000000A30000-0x0000000000A40000-memory.dmp

Filesize
64KB

Download
memory/3276-0-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3276-2-0x0000000000A40000-0x0000000000A50000-memory.dmp

Filesize
64KB

Download
memory/3276-1-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3276-21-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3444-22-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3444-23-0x00000000012A0000-0x00000000012B0000-memory.dmp

Filesize
64KB

Download
memory/3444-24-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3444-26-0x00000000012A0000-0x00000000012B0000-memory.dmp

Filesize
64KB

Download
memory/3444-27-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3444-28-0x00000000012A0000-0x00000000012B0000-memory.dmp

Filesize
64KB

Download
memory/3444-29-0x00000000012A0000-0x00000000012B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads