metamorpherrat | 7d5cd2323bf22d1dc34d4836a155ee5626b28ba74ddf91e3d5470e62358609ac

General

Target

ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe
Size

78KB
MD5

ff520c09aaaccbeaa4e2e97bbae2a205
SHA1

f12e7b2d6258a3925608a474596fd37ef2fb0fdc
SHA256

7d5cd2323bf22d1dc34d4836a155ee5626b28ba74ddf91e3d5470e62358609ac
SHA512

45637c49edf5c17f73833c2e82447eac2ca2f9876a432480ad742f1aaa90754d962dc52aa1487a6d1b8013af301faf53237cdb11c2fd519209db18fabb1576ca
SSDEEP

1536:GCHY6JIdXT0XRhyRjVf3HaXOJR0zcEIvCZ1xjs9np/IPioYJbQt++9/Jh1aL:GCHYOINSyRxvHF5vCbxwpI6W++9/Jk

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
3108	tmp2D1B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3108	tmp2D1B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\""	tmp2D1B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe
Token: SeDebugPrivilege	3108	tmp2D1B.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 4676	2672	ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe	85
PID 2672 wrote to memory of 4676	2672	ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe	85
PID 2672 wrote to memory of 4676	2672	ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe	85
PID 4676 wrote to memory of 2624	4676	vbc.exe	87
PID 4676 wrote to memory of 2624	4676	vbc.exe	87
PID 4676 wrote to memory of 2624	4676	vbc.exe	87
PID 2672 wrote to memory of 3108	2672	ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe	90
PID 2672 wrote to memory of 3108	2672	ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe	90
PID 2672 wrote to memory of 3108	2672	ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vfusksal.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E24.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C534FCF11024A8A9735F3C4F5C3DF3.TMP"
    3⤵
    PID:2624
- C:\Users\Admin\AppData\Local\Temp\tmp2D1B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2D1B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ff520c09aaaccbeaa4e2e97bbae2a205_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2E24.tmp

Filesize
1KB

MD5
4dc41eb5641771c0cc4cd18a72324195

SHA1
7d3ca603467f8e07c3a2240a94ff1837eacd14e3

SHA256
b26057238ab072bc0eaaddb6f8c8da2312bb49585a01fccb920b614468b6ee62

SHA512
5c858877eecca7ff1d9a6b7b02d104af8d219fc8bb65381ee653e37601e65aee7141fda045f81b37a2411a5dd90bf3370cf478d38cbd4e67b88bd111eadf6b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D1B.tmp.exe

Filesize
78KB

MD5
d4d8e2d17d80c94380b962f78ad03822

SHA1
5fe146a26d03869d6f423e878b0d1c52cf389b39

SHA256
32a9ed7af648e8f855d8148c93dcf38f5236f2376a1698cea870057e64aa8881

SHA512
95dd5bfddbb1badcf78437421ca84734fe6e67f9a4fdec7ede104934b000970b893ca9de7f27cdd73114c1fa9103749d151e66fe57f3f1fbb3d38cddcce66ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3C534FCF11024A8A9735F3C4F5C3DF3.TMP

Filesize
660B

MD5
8de7757115820082e25bd08dd7a5bf69

SHA1
f0e69aef76f511bf70569299651920a08a6eb32f

SHA256
587ad05a4260e9ea6a2613584b629abbd2012634db468c92f6cb6bfe069a131d

SHA512
5a8488714f678dfb57d111327690f748f9e61a433e42fc55434a71329fa744c0c81f774fcbf0d77824bd7ca1abba2776ce0fded9378d12bf9b4569b73f9da469

Download Submit
C:\Users\Admin\AppData\Local\Temp\vfusksal.0.vb

Filesize
15KB

MD5
6cf6fea7ce4ee5b858c137b0e49d5cfe

SHA1
55c49913e264d8c5ced1a8cabb4fe25542a92af2

SHA256
26431a0ab0c9dbe14a143956e2d8e47d526c16e25306022ea553a7797f622e4b

SHA512
fb8acc57a5ab1bba1016273acbc93cccc6bcb8b57969d2fdbe7417891466f2d3ac452c7f7294d2c986103bb972bb3b732f7502073e89c3944ad9f75c29a1a130

Download Submit
C:\Users\Admin\AppData\Local\Temp\vfusksal.cmdline

Filesize
266B

MD5
65671b59e4784b8d5f8ff808f9a00745

SHA1
b02d3d2a0b669d4f8d5285e8a69c5d95defef635

SHA256
03d958c4facd4a14cb7b123a770d19ec06f17d634ea257a925a2753639ac53ca

SHA512
8263e2e5d26b632ec1e4b14ecd7f9c7659af1c15d19f55b5dd365d9ad8e980abb6f1e015fe3c9281a3db665b219683f6c60480b8b10f73b2e209a0e4954fa39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
097dd7d3902f824a3960ad33401b539f

SHA1
4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

SHA256
e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

SHA512
bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

Download Submit
memory/2672-21-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/2672-1-0x0000000000C70000-0x0000000000C80000-memory.dmp

Filesize
64KB

Download
memory/2672-2-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/2672-0-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/3108-23-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/3108-22-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/3108-24-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/3108-26-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/3108-27-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/3108-28-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/4676-8-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads