metamorpherrat | 7d5cd2323bf22d1dc34d4836a155ee5626b28ba74ddf91e3d5470e62358609ac

General

Target

ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe
Size

78KB
MD5

ff520c09aaaccbeaa4e2e97bbae2a205
SHA1

f12e7b2d6258a3925608a474596fd37ef2fb0fdc
SHA256

7d5cd2323bf22d1dc34d4836a155ee5626b28ba74ddf91e3d5470e62358609ac
SHA512

45637c49edf5c17f73833c2e82447eac2ca2f9876a432480ad742f1aaa90754d962dc52aa1487a6d1b8013af301faf53237cdb11c2fd519209db18fabb1576ca
SSDEEP

1536:GCHY6JIdXT0XRhyRjVf3HaXOJR0zcEIvCZ1xjs9np/IPioYJbQt++9/Jh1aL:GCHYOINSyRxvHF5vCbxwpI6W++9/Jk

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2508	tmp204D.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
3036	ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe
3036	ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\""	tmp204D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe
Token: SeDebugPrivilege	2508	tmp204D.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 3064	3036	ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe	28
PID 3036 wrote to memory of 3064	3036	ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe	28
PID 3036 wrote to memory of 3064	3036	ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe	28
PID 3036 wrote to memory of 3064	3036	ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe	28
PID 3064 wrote to memory of 2580	3064	vbc.exe	30
PID 3064 wrote to memory of 2580	3064	vbc.exe	30
PID 3064 wrote to memory of 2580	3064	vbc.exe	30
PID 3064 wrote to memory of 2580	3064	vbc.exe	30
PID 3036 wrote to memory of 2508	3036	ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe	31
PID 3036 wrote to memory of 2508	3036	ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe	31
PID 3036 wrote to memory of 2508	3036	ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe	31
PID 3036 wrote to memory of 2508	3036	ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xxwg6rvt.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2109.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2108.tmp"
    3⤵
    PID:2580
- C:\Users\Admin\AppData\Local\Temp\tmp204D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp204D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2109.tmp

Filesize
1KB

MD5
7407e9bb4756bbb58ca19e0f9f4a3fd4

SHA1
a4954809592d316799ff3b8428474857d76cc751

SHA256
5dc4a9ca4a67b60400557cc0fde1fef11933f29851b390d964d1288cd8e885d5

SHA512
0881fa7ce8e1c5d8fb2e0ddc7bb3b70374f6e9d0d1ebb6b9854dddc8f1ecb830f48ad0b8cc2197f032f5c7ba2b90999eed3389dc8ad59be827c110706d691ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp204D.tmp.exe

Filesize
78KB

MD5
a6f33108701472fbea5f477833a37f1d

SHA1
b21885f279cb2aadd767c9d8bc5e3161266a1a7e

SHA256
e6136842cc0877d0134bb660ba182aa3d8ddb517189a2174ca6c0760592b6030

SHA512
ce03e2a66a8657a25b798ee7e79fe53fe07af9dbf108690dcc4c4b8d29bbfd4cb0bebda67ca10dea052edf3510c4524a63dd1bc7a9b7337dc677437fbd16a18b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2108.tmp

Filesize
660B

MD5
9c243f017a59ca40f8bb152bef9541a3

SHA1
d7a33fcafe94612916cccf302f18ab38fe060984

SHA256
f90337839aa612f08802377e482c41b2c106b5f023da5f6b191691b0b1c427e9

SHA512
9edfc48ade156687d8d543b963f7be794525e40ae52144757de2287e84a1a8306e3e9166a39808c9566b3e22c8080a0945bdab3f59e686d4dc4a95d28392163b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxwg6rvt.0.vb

Filesize
15KB

MD5
52a574fc0bca291e8e3d8f7829f90433

SHA1
c0ecf5fee38bccae70fb8fbaecb735f86e67e760

SHA256
753611c7f9c04c3a76f814581fcbd2838553f315cabe991a0cbec43f5ff4e581

SHA512
0dff3e57a9417136f5ffde40251b36973e884a881f1fd675d92449a3f10126aa5b3e6751a4b65ad5a11ebe3815e79a5175c514b3717344dca8d7297cbaa178e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxwg6rvt.cmdline

Filesize
266B

MD5
39caf967ce74f94506d598f364b8674f

SHA1
fa8821aac7edab760c34d0ee64bf4d25efd1e36b

SHA256
f94c20264dc0225b708868adb5ca64eec7173f835a1d5c37e2a2464be4fc57cc

SHA512
956f4d9dfd746e3c9ed959defd338f0c1c5292e0ab136bb1b5d632c1bcbb766166cfe5406e3e15b9cfe978d9f621da8ceb5f13df54197ef0e68732c9499c4ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
097dd7d3902f824a3960ad33401b539f

SHA1
4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

SHA256
e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

SHA512
bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

Download Submit
memory/2508-27-0x0000000000940000-0x0000000000980000-memory.dmp

Filesize
256KB

Download
memory/2508-30-0x0000000000940000-0x0000000000980000-memory.dmp

Filesize
256KB

Download
memory/2508-29-0x0000000000940000-0x0000000000980000-memory.dmp

Filesize
256KB

Download
memory/2508-23-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/2508-28-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/2508-25-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/2508-24-0x0000000000940000-0x0000000000980000-memory.dmp

Filesize
256KB

Download
memory/3036-1-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/3036-22-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/3036-2-0x0000000000D00000-0x0000000000D40000-memory.dmp

Filesize
256KB

Download
memory/3036-0-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads