metamorpherrat | ede02f6d37500c94fd48d0489f053f1de069080af87c37b61ed94d0073695e77

General

Target

fcefb211e318d701bcec407393ce85f4_JaffaCakes118.exe
Size

78KB
MD5

fcefb211e318d701bcec407393ce85f4
SHA1

341535bfce9489d94cb968e130642de6926f8f59
SHA256

ede02f6d37500c94fd48d0489f053f1de069080af87c37b61ed94d0073695e77
SHA512

a29b06ddad664c5399ffa254c3f4b81aa54ae1a92434968f6906dcc6bd63132773e840c18795b4ebbf653a05d1154766be4ef61ad05829a7fa63f9ef8b28d375
SSDEEP

1536:dPWV58Tdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6kM9/f150:dPWV58yn7N041QqhgR9/s

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp22BD.tmp.exe

pid process

3020 tmp22BD.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

fcefb211e318d701bcec407393ce85f4_JaffaCakes118.exe

pid process

2320 fcefb211e318d701bcec407393ce85f4_JaffaCakes118.exe
2320 fcefb211e318d701bcec407393ce85f4_JaffaCakes118.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3020	tmp22BD.tmp.exe

pid	process
2320	fcefb211e318d701bcec407393ce85f4_JaffaCakes118.exe
2320	fcefb211e318d701bcec407393ce85f4_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp22BD.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp22BD.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fcefb211e318d701bcec407393ce85f4_JaffaCakes118.exetmp22BD.tmp.exe

description pid process

Token: SeDebugPrivilege 2320 fcefb211e318d701bcec407393ce85f4_JaffaCakes118.exe
Token: SeDebugPrivilege 3020 tmp22BD.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2320	fcefb211e318d701bcec407393ce85f4_JaffaCakes118.exe
Token: SeDebugPrivilege	3020	tmp22BD.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fcefb211e318d701bcec407393ce85f4_JaffaCakes118.exevbc.exe

description	pid	process	target process
PID 2320 wrote to memory of 2948	2320	fcefb211e318d701bcec407393ce85f4_JaffaCakes118.exe	vbc.exe
PID 2320 wrote to memory of 2948	2320	fcefb211e318d701bcec407393ce85f4_JaffaCakes118.exe	vbc.exe
PID 2320 wrote to memory of 2948	2320	fcefb211e318d701bcec407393ce85f4_JaffaCakes118.exe	vbc.exe
PID 2320 wrote to memory of 2948	2320	fcefb211e318d701bcec407393ce85f4_JaffaCakes118.exe	vbc.exe
PID 2948 wrote to memory of 2972	2948	vbc.exe	cvtres.exe
PID 2948 wrote to memory of 2972	2948	vbc.exe	cvtres.exe
PID 2948 wrote to memory of 2972	2948	vbc.exe	cvtres.exe
PID 2948 wrote to memory of 2972	2948	vbc.exe	cvtres.exe
PID 2320 wrote to memory of 3020	2320	fcefb211e318d701bcec407393ce85f4_JaffaCakes118.exe	tmp22BD.tmp.exe
PID 2320 wrote to memory of 3020	2320	fcefb211e318d701bcec407393ce85f4_JaffaCakes118.exe	tmp22BD.tmp.exe
PID 2320 wrote to memory of 3020	2320	fcefb211e318d701bcec407393ce85f4_JaffaCakes118.exe	tmp22BD.tmp.exe
PID 2320 wrote to memory of 3020	2320	fcefb211e318d701bcec407393ce85f4_JaffaCakes118.exe	tmp22BD.tmp.exe

C:\Users\Admin\AppData\Local\Temp\fcefb211e318d701bcec407393ce85f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcefb211e318d701bcec407393ce85f4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cqbrkf1k.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2389.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2378.tmp"
    3⤵
    PID:2972
- C:\Users\Admin\AppData\Local\Temp\tmp22BD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp22BD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fcefb211e318d701bcec407393ce85f4_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2389.tmp

Filesize
1KB

MD5
5c0bc237b721fda3687e95b8921b6370

SHA1
11454809fc89509055a488d0258827e13f94b4e8

SHA256
d85a8c6c36bfb05dc664d49911cda93b9a5a4d439aed45eed15f02be504a686d

SHA512
dd3848f6f0ad4b6c89520ad7607da0fedd0910cd24db12d76cab551e0b9b154cafbedf5c96569e6cbefc86559f056c5a9a79896eb7c14d037f9f79c4ca4af124

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqbrkf1k.0.vb

Filesize
14KB

MD5
b639516f8cd9adab570648f0d53ce7c1

SHA1
e39d43ec4856b0731cb7f5e23dc6ae6969a1168f

SHA256
41e0e6065193fe785d51b2f2d9de01ba686f66e482f3fbbbc58a8c949c873cf5

SHA512
482bac0810b71ff1bad8248d52540ad24a01054813fb45427242ab01885a5ed6792a6baac6d31be86630fed686a8607161e7f8cd04733ed5143e49716971abb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqbrkf1k.cmdline

Filesize
266B

MD5
439f53df8c3e9ed120091fbf7363678c

SHA1
9e28b4556a95f65a898aec296c2cdf3f1558c7ec

SHA256
fd359069b7f0a203a23094b8df1e2d67ee35f584f350fde358f77a2c3bac7db3

SHA512
130bf76c5cb3daa04b6e62d696b3be56566f94b7d84b4e70639615c4438985e43236ea6729c35858c58a8188fbbb6be12579a74f868c473ce960186b37b79789

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp22BD.tmp.exe

Filesize
78KB

MD5
12445d93ada4378f39a5c40bc2218fad

SHA1
96a6c093511d0121191352df8e44509495fd042e

SHA256
4b0c8892ceca0fbb6e773f43169ee3b4d010252017a4728a98498473fa0ecbf5

SHA512
9592fa13172261788f27a40e0da40640fdef60989d4a2ae90520a416a91781b0677a48925b0c5ff7cde2b01f5c3d5485b5a1796e98dce16eb67ded4051679dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2378.tmp

Filesize
660B

MD5
437379c14c29e3f51fcdb65cf8542b41

SHA1
9fb686b1c50cb4034f540e9dcd8b54c708cd3c3d

SHA256
31b690736bfc497091ab72bac05b54ff553b2882ad7620b3710eec2225fc907c

SHA512
f8299575975a7bd68d5ce514f26ac7a62581bdc3358fe3f9946828ed9ee7a7c58156bf91eb3748926443c8ffd252200c1cc05198cb1f9f00b9c9a1df31a1df51

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2320-2-0x0000000000100000-0x0000000000140000-memory.dmp

Filesize
256KB

Download
memory/2320-1-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2320-0-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2320-22-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/3020-23-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/3020-24-0x0000000001FD0000-0x0000000002010000-memory.dmp

Filesize
256KB

Download
memory/3020-25-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/3020-27-0x0000000001FD0000-0x0000000002010000-memory.dmp

Filesize
256KB

Download
memory/3020-28-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/3020-29-0x0000000001FD0000-0x0000000002010000-memory.dmp

Filesize
256KB

Download
memory/3020-30-0x0000000001FD0000-0x0000000002010000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads