metamorpherrat | d02377625a34a213c0d6db66457bedd56be7ed927510cb6a47afd8cf28b01624

General

Target

bdae873ae2208b7a2c4c14701bf611de_JaffaCakes118.exe
Size

78KB
MD5

bdae873ae2208b7a2c4c14701bf611de
SHA1

8dbb4b16367abcb161a59522ef6ab089c1547514
SHA256

d02377625a34a213c0d6db66457bedd56be7ed927510cb6a47afd8cf28b01624
SHA512

4e882f104b63a59718bda06f48c5c274807210fa354680a1e8fe4d59e41b61f1090888542b2dd55d129bd6c36f95686d58656a382cfc43a0d83f84ca560850ca
SSDEEP

1536:oHHM3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQti9/R1tf:oHs3xSyRxvY3md+dWWZyi9/F

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	bdae873ae2208b7a2c4c14701bf611de_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
5068	tmp7B1B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5068	tmp7B1B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp7B1B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdae873ae2208b7a2c4c14701bf611de_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7B1B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1304	bdae873ae2208b7a2c4c14701bf611de_JaffaCakes118.exe
Token: SeDebugPrivilege	5068	tmp7B1B.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 4872	1304	bdae873ae2208b7a2c4c14701bf611de_JaffaCakes118.exe	84
PID 1304 wrote to memory of 4872	1304	bdae873ae2208b7a2c4c14701bf611de_JaffaCakes118.exe	84
PID 1304 wrote to memory of 4872	1304	bdae873ae2208b7a2c4c14701bf611de_JaffaCakes118.exe	84
PID 4872 wrote to memory of 1352	4872	vbc.exe	88
PID 4872 wrote to memory of 1352	4872	vbc.exe	88
PID 4872 wrote to memory of 1352	4872	vbc.exe	88
PID 1304 wrote to memory of 5068	1304	bdae873ae2208b7a2c4c14701bf611de_JaffaCakes118.exe	90
PID 1304 wrote to memory of 5068	1304	bdae873ae2208b7a2c4c14701bf611de_JaffaCakes118.exe	90
PID 1304 wrote to memory of 5068	1304	bdae873ae2208b7a2c4c14701bf611de_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\bdae873ae2208b7a2c4c14701bf611de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bdae873ae2208b7a2c4c14701bf611de_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\knka3epp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C64.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1A6D736A1BC49DCAD2CC6C6F4ED476.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1352
- C:\Users\Admin\AppData\Local\Temp\tmp7B1B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7B1B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bdae873ae2208b7a2c4c14701bf611de_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7C64.tmp

Filesize
1KB

MD5
f3735209136d03e04813cdffc3075caf

SHA1
37118873b5d514cee4f4ece180b8388de432c02d

SHA256
1c7ffc55414974df77aa7fbe678fb7665c0674140b188987133397e95cc0af2a

SHA512
15b9d396c590f8873d453f5a74718e8e2865c46206b913b14bea12aec3d01ce048e8889f4e78eeae5e62aa7fb5d74bfa73eea9ca700613b8f11931d8d7f8891d

Download Submit
C:\Users\Admin\AppData\Local\Temp\knka3epp.0.vb

Filesize
15KB

MD5
3762390fb5482bf53da37ad9a3a49ef2

SHA1
78aa76d90fa21abf3ab1a0dbe4b1e6b8240565f6

SHA256
3bf1cf79b04db697b8000d7b0a121d68821b6451dc3071edfa0fa0b5efdb07f7

SHA512
7471717194815aa0a1b98b76fa03993b2099c180f610ca08901feec92c05bcf5a1730fbdb7e518ad2edd6e938f51111a56cdde01a9715515687f7d87d125ed43

Download Submit
C:\Users\Admin\AppData\Local\Temp\knka3epp.cmdline

Filesize
266B

MD5
c219ef8076151743169f225472854c4e

SHA1
f7a68bedd2d2a21eeab2278897a28f94e42a84a1

SHA256
1570061ac328dbe5c15589b333793fc4a762db010bc3463f53afe8d7883739b6

SHA512
52128e15adf27eefb134a7494872b656442ba69ff82880d7dd50d0bd8c6f874dea8e8f3a20806b47d63294499f36b791c0f03a45a8580535ee867caa7f059fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7B1B.tmp.exe

Filesize
78KB

MD5
0e8c2c8af57654eddc9646824fb7f65f

SHA1
96ce1422a7c441eb07c0d129a6e1eb96ce841bbe

SHA256
4b405aa41fdabe41c452e83fb82aadaac618b7624b9d07b7140a9407f586e6e7

SHA512
a5720e1cd2051bda115fac2b4400aa91cc46d84774b45019df0f187dd01d52317cf92a98188f7a07e2263767eb5337b56a1c3a0c3d8750f0811e7cb9af6a073a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA1A6D736A1BC49DCAD2CC6C6F4ED476.TMP

Filesize
660B

MD5
b5b83b97f62b57dbb216fafeca055dc4

SHA1
8bad9c1d43d4144799f874268b6da72b6d8a1b90

SHA256
0eda5af8278d6958ef506cdd5dff7eedac913af18b6fa10d72219b4744b135ff

SHA512
5e364918752cdb7631262a4d6d97ac1c8b924134470e2eb29f246defd30ec84897770b7ab89138d8c227166de2fb1bc0888f7aab1e0f871757eba2dc4432f9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1304-2-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/1304-1-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/1304-22-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/1304-0-0x0000000074D12000-0x0000000074D13000-memory.dmp

Filesize
4KB

Download
memory/4872-9-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/4872-18-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/5068-23-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/5068-25-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/5068-24-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/5068-27-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/5068-28-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/5068-29-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/5068-30-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads