metamorpherrat | 6a2aebfb2fa00d60a003c6bfe1ec0aa6f7881b247ef2d86c8b39025949c68996

General

Target

03751de8413f2fc41986a566dc5ade4a_JaffaCakes118.exe
Size

78KB
MD5

03751de8413f2fc41986a566dc5ade4a
SHA1

571e00b75115df5140ab0610ad6463c939899907
SHA256

6a2aebfb2fa00d60a003c6bfe1ec0aa6f7881b247ef2d86c8b39025949c68996
SHA512

2aa9c0720aca1dce36ba0fd44cbb2e5cacbcf0af71cb0544b082559d47b23824a5e5677fe321fc13904e9788d99045600b6ecf34eefbc64f28a067fe7efbdf75
SSDEEP

1536:QHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt1a9/J1YC:QHFo53Ln7N041Qqhg1a9/f

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2736	tmp52A3.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
688	03751de8413f2fc41986a566dc5ade4a_JaffaCakes118.exe
688	03751de8413f2fc41986a566dc5ade4a_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp52A3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03751de8413f2fc41986a566dc5ade4a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp52A3.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	688	03751de8413f2fc41986a566dc5ade4a_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	tmp52A3.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 2368	688	03751de8413f2fc41986a566dc5ade4a_JaffaCakes118.exe	29
PID 688 wrote to memory of 2368	688	03751de8413f2fc41986a566dc5ade4a_JaffaCakes118.exe	29
PID 688 wrote to memory of 2368	688	03751de8413f2fc41986a566dc5ade4a_JaffaCakes118.exe	29
PID 688 wrote to memory of 2368	688	03751de8413f2fc41986a566dc5ade4a_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2720	2368	vbc.exe	31
PID 2368 wrote to memory of 2720	2368	vbc.exe	31
PID 2368 wrote to memory of 2720	2368	vbc.exe	31
PID 2368 wrote to memory of 2720	2368	vbc.exe	31
PID 688 wrote to memory of 2736	688	03751de8413f2fc41986a566dc5ade4a_JaffaCakes118.exe	32
PID 688 wrote to memory of 2736	688	03751de8413f2fc41986a566dc5ade4a_JaffaCakes118.exe	32
PID 688 wrote to memory of 2736	688	03751de8413f2fc41986a566dc5ade4a_JaffaCakes118.exe	32
PID 688 wrote to memory of 2736	688	03751de8413f2fc41986a566dc5ade4a_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\03751de8413f2fc41986a566dc5ade4a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03751de8413f2fc41986a566dc5ade4a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iv55gxfy.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5514.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5513.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2720
- C:\Users\Admin\AppData\Local\Temp\tmp52A3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp52A3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\03751de8413f2fc41986a566dc5ade4a_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5514.tmp

Filesize
1KB

MD5
eaa96c8ceb62ebf60765a8650935778d

SHA1
081cfdfc5f8f9b35c011bb95fd4eb04bbf7a10f9

SHA256
bbbbef2aa505cb2a10362abda2aa94e6c127873fe6c6e4cd918b637c9a827ac1

SHA512
87c19a8158b8e1c668aac0f090afcea0fdc1d10ba42659cf0e6085e3a54b8545fb463d0a499666ca012fb87686f967ca17c0376a0f390e25ae0ca914177fe692

Download Submit
C:\Users\Admin\AppData\Local\Temp\iv55gxfy.0.vb

Filesize
15KB

MD5
bfd7a164f909f65873162429fb821d7a

SHA1
77491af9cf46e7ae325bd68571fc603d4f23176d

SHA256
8efd62e7c9e4579a0b9168b42a895259cc85670befbb26b9ce44a6c43bd3ae93

SHA512
9eec9ea3e1b5b15c897bff159722eff9967e5a5556676eebd792c605a63f982cbe505367d4bea8144799c4da6353118c4ac333f5614090e92f59a590f582fc32

Download Submit
C:\Users\Admin\AppData\Local\Temp\iv55gxfy.cmdline

Filesize
266B

MD5
c54f5a588babc7d57ed3a9444c361166

SHA1
99fe5b1a03dd1d0a13b1c6084c58f58f5ac2f2b1

SHA256
ef978d38165f3b00ba24fff3f26abeca8dc377ce7e3dae8142d626b6d08923d5

SHA512
38d3877380034321888aaa79f41f235fcc272af80bfcba7d450370c1a451cc3ecd9ceb1a78ebbc41f5abbcacf4615f3a48355d37a0c257c95b4396f37b8bc0be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp52A3.tmp.exe

Filesize
78KB

MD5
431c8ed90ce2cbb42b5f6c459024b083

SHA1
bb26438218b6576fd88aa3973e7655612c11fc16

SHA256
c19f55c45f0efc044e0a772eafcb55c58da5c8e0ba26380cf3a008b163a60ce5

SHA512
61db93515bc75db3e0e04e3e2948c3482748d20242f0c0034a4dfd94889e23f1b7a9a91ea8669cf6700e8bf83fe99c8739475e5448ceabdeb23e4438f475adbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5513.tmp

Filesize
660B

MD5
065eab0a56792e3864f40177728f860d

SHA1
1426f4f0ea89d549a50a87b3e423fa4e3f72a0a2

SHA256
0a176738ca1aa9d17366e617cc027528c7dafdc5bcbc0e0638f18f116b4cbd36

SHA512
9acf00b3f04fd61f7c5efd300b87854fa579cff52745d0e95d7b648bb47b173494e17291230addcc5a3c9b01b9791e9e353d15773cef3f639d9dbdbd93726a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/688-0-0x0000000074A21000-0x0000000074A22000-memory.dmp

Filesize
4KB

Download
memory/688-1-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download
memory/688-2-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download
memory/688-24-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download
memory/2368-8-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download
memory/2368-18-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads