metamorpherrat | ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48

General

Target

06af9b765f0971d34da6cee01bb0dfd3_JaffaCakes118.exe
Size

78KB
MD5

06af9b765f0971d34da6cee01bb0dfd3
SHA1

d418e6d883263be3253b8e7884b3481ee9e362ba
SHA256

ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48
SHA512

3d20ef5897663c30fc0669fc0f1498d9b7f9fee5a1ab002022a03140e9075797eb8c4108777f22888d44004dc914601a71066592ae9b1a3c52b03bab0959f285
SSDEEP

1536:RV5jSTdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQts6z9/Z1s7:RV5jSyn7N041QqhgF9/G

Score

10^/10

metamorpherrat persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	06af9b765f0971d34da6cee01bb0dfd3_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
772	tmp4565.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
772	tmp4565.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp4565.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	06af9b765f0971d34da6cee01bb0dfd3_JaffaCakes118.exe
Token: SeDebugPrivilege	772	tmp4565.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2260	2480	06af9b765f0971d34da6cee01bb0dfd3_JaffaCakes118.exe	83
PID 2480 wrote to memory of 2260	2480	06af9b765f0971d34da6cee01bb0dfd3_JaffaCakes118.exe	83
PID 2480 wrote to memory of 2260	2480	06af9b765f0971d34da6cee01bb0dfd3_JaffaCakes118.exe	83
PID 2260 wrote to memory of 3008	2260	vbc.exe	86
PID 2260 wrote to memory of 3008	2260	vbc.exe	86
PID 2260 wrote to memory of 3008	2260	vbc.exe	86
PID 2480 wrote to memory of 772	2480	06af9b765f0971d34da6cee01bb0dfd3_JaffaCakes118.exe	88
PID 2480 wrote to memory of 772	2480	06af9b765f0971d34da6cee01bb0dfd3_JaffaCakes118.exe	88
PID 2480 wrote to memory of 772	2480	06af9b765f0971d34da6cee01bb0dfd3_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\06af9b765f0971d34da6cee01bb0dfd3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06af9b765f0971d34da6cee01bb0dfd3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dr6jf1jm.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES468E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD582EE191DD740AA85D8249C6E4064EF.TMP"
    3⤵
    PID:3008
- C:\Users\Admin\AppData\Local\Temp\tmp4565.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4565.tmp.exe" C:\Users\Admin\AppData\Local\Temp\06af9b765f0971d34da6cee01bb0dfd3_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES468E.tmp

Filesize
1KB

MD5
272ce53b76c0b2c88ce482e30487a1c1

SHA1
1712b55b492022ca2026b4c25be5988c0a896461

SHA256
e5a79a48d1df8fc63abf89967ea908407963f88593659866a5560c194be283be

SHA512
86fdb9ac6865360ed1c65ecd2af813f6a507e7e409873026e0736159bb209e64020bd8000b5598c4c9993d2a7d1b3b365db12dc4f9932e64ade771c8119d49f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dr6jf1jm.0.vb

Filesize
14KB

MD5
da8b6f062191616c2819ef5f8a518de6

SHA1
3f6c394ee41900e3ce7e1ecb90dc202acc98618c

SHA256
03be24d041930434cb2510186d09cff25f96f4b1f6668f5f07402b966ecd5772

SHA512
cd6ee40f44a0b0ae4833908cd1213b25edeae5f82db7f95acc84d336955305b4a43a4e049ad6ecce213f57e9a257a1b7a864871c3ff52203a5908ad84c09d67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dr6jf1jm.cmdline

Filesize
266B

MD5
895a004996ad949bbc59f2cd7b33cffc

SHA1
b093bca2dbcdb23fd84c95e39142b5487dca0a8e

SHA256
3deed3cc383937b7750908b74be5a1de4488b0020c50d47a182facf473e81df4

SHA512
8d1994102dca898d95a924b243df268c476b33c8df22f688c9d3467f2b7ffdcbf9072ba7a22fb9f31e4d78f2945369087a586d75a7a17bba0ee208b6d4043b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4565.tmp.exe

Filesize
78KB

MD5
70ab41d885514c0cad2d76dd95c58714

SHA1
1c31080cc6f1a76bfa640b68b7fd42b3508dff03

SHA256
1722a291fd4c027cc946126d45ab1c37e84a8c060d320f448df127a7e9dde800

SHA512
6fb6424362e04cef24e988ce7f7e6ab8866b99ce02ebd6de4bd765b06c69d08c729f7fbbd39fdbe9d309ed210de170dc80731be584fcaf50370a133f036e2cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD582EE191DD740AA85D8249C6E4064EF.TMP

Filesize
660B

MD5
e79b4e75b1969fd1473d28d1d297b1c6

SHA1
7077e01b68e7a6c963b201e8f2decf36cd289318

SHA256
5e27c09ee6b72cf563a6047d1fe13c2cf1d61bf1fe864d3e59be6b5c82600693

SHA512
04d4bb2e6a0f1945ae6cc3496d15c7b56b13534f82e96d0b821e02cd8158e6bc881c9ed8b1ccd320b79ac86f9daafc2dd1871f4c3452085c99c9f59636f04bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/772-22-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/772-23-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/772-24-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/772-26-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/772-27-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/772-28-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/2260-15-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2480-2-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/2480-0-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/2480-21-0x0000000075040000-0x00000000755F1000-memory.dmp

Filesize
5.7MB

Download
memory/2480-1-0x00000000014F0000-0x0000000001500000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads