metamorpherrat | 712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a

General

Target

047e2b220274efec3654b82f56552676_JaffaCakes118.exe
Size

78KB
MD5

047e2b220274efec3654b82f56552676
SHA1

3df7a72f37c4ad0b94ecfa4e83071cbcd6271235
SHA256

712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a
SHA512

7d3b0897b4be725ede778dd16f682a6886773a9eddc1847dfbd5ef177a8a627bf9c0d00acf83d0367c44a702ba8587708fdcef41b72628a6c1df6569b98a1b07
SSDEEP

1536:pe58Ndy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt961F9/Z1L4:pe58Yn7N041QqhgGF9/Q

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	047e2b220274efec3654b82f56552676_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4756	tmpA9EC.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpA9EC.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA9EC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	047e2b220274efec3654b82f56552676_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1172	047e2b220274efec3654b82f56552676_JaffaCakes118.exe
Token: SeDebugPrivilege	4756	tmpA9EC.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 3452	1172	047e2b220274efec3654b82f56552676_JaffaCakes118.exe	84
PID 1172 wrote to memory of 3452	1172	047e2b220274efec3654b82f56552676_JaffaCakes118.exe	84
PID 1172 wrote to memory of 3452	1172	047e2b220274efec3654b82f56552676_JaffaCakes118.exe	84
PID 3452 wrote to memory of 3040	3452	vbc.exe	87
PID 3452 wrote to memory of 3040	3452	vbc.exe	87
PID 3452 wrote to memory of 3040	3452	vbc.exe	87
PID 1172 wrote to memory of 4756	1172	047e2b220274efec3654b82f56552676_JaffaCakes118.exe	90
PID 1172 wrote to memory of 4756	1172	047e2b220274efec3654b82f56552676_JaffaCakes118.exe	90
PID 1172 wrote to memory of 4756	1172	047e2b220274efec3654b82f56552676_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\047e2b220274efec3654b82f56552676_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\047e2b220274efec3654b82f56552676_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5zngqo7i.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAF5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc31950B4EE6BB4E7DAAC5753A6331F91.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3040
- C:\Users\Admin\AppData\Local\Temp\tmpA9EC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA9EC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\047e2b220274efec3654b82f56552676_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5zngqo7i.0.vb

Filesize
14KB

MD5
24f7485d3185c1c843356fb2cf181cab

SHA1
17314a1adf625543ce5ca4e6fa640886988ff236

SHA256
7b2a738af4a1d5fca4f7e8a64fadb8ef7f5ac083643e4e00a7b5b554fc7c0231

SHA512
3fd69411f1f5c7ea06b3174846fe6832ec6a15d32f02614ae5719269dde3292aa27d13ca83a848fcf73e587a32293cdbeb816b64896b59467684c71433554f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\5zngqo7i.cmdline

Filesize
266B

MD5
d430cd355ff91d938d05373f989f8de7

SHA1
9f20428f3388dea7aaab7f5d03084109f546e986

SHA256
30244ee70577d28e1161c8a348ecd9a94a4fcd2ab50c81669886c25cb69729ce

SHA512
c83b8b6c8b7ef38e61faa68a0dd0344fc7885dbbfe2acaffe9b461394c5abf2c92a4439114c3a9456afafc8bc19859d9f9f5e7124efb4920aba7fc86a1ea57ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAAF5.tmp

Filesize
1KB

MD5
da923a562af6564eb6f4b6a5e2752109

SHA1
ad93c02962c0f73d00503145bf0d63f697c907f1

SHA256
a8ac1ebabff956caa0ef05f245f7aa494ff8a5100f06c7ad7bcaf2dbf99a1b62

SHA512
d09aa337de188a14d6f9593ab11a51a28739c341f19f676f80714a61f54481148af02cb3a22aa6c980d2cf7a5d7c0b7ca252fc215ca3d5b3795aefd1aa48cbd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA9EC.tmp.exe

Filesize
78KB

MD5
6f4debb8f26b6da7bdc94f3aa36a2c71

SHA1
0294c12a7527eb7df9edfbcace9bffa0c593f98f

SHA256
af27203ce10a2b1e7559059bd07d92700ccd8835362a206527325a91f1aaae1d

SHA512
6dbb75235c48b3cbd78b6f58dc4f8f23284463bb065b8bb2e75fa861b6805909fe9ab1b4baa0f7dd2532e42003fb1da5df348a248a90abc4542556f54b3b3f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc31950B4EE6BB4E7DAAC5753A6331F91.TMP

Filesize
660B

MD5
170c7b518d9eadbf2c34a9eec5a5aaaa

SHA1
8f924a56788a35bb3fea5d5ed9ae000d99791830

SHA256
802b8c605c67a0b4c7d62d6b69e4df74dc58fe93f9c673809db9061e4a3b961e

SHA512
964150d76e2ade1356d2f814a61bffc3bc82ef7a440f06c7dd7612e1a10969a7c6d750ecbf31a48ff31bd8b8b34fc65ad9ffcb13c8845f7527fa4c30a0b5c558

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1172-1-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/1172-22-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/1172-0-0x0000000074C12000-0x0000000074C13000-memory.dmp

Filesize
4KB

Download
memory/1172-2-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/3452-18-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/3452-9-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/4756-23-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/4756-24-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/4756-26-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/4756-27-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/4756-28-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads