metamorpherrat | 2d4187af251d2617268f6cd938c0c051c95a71026936184f64419d7faf0b82bc

General

Target

e97e498aed5d1051b758d56c1865d6b2_JaffaCakes118.exe
Size

78KB
MD5

e97e498aed5d1051b758d56c1865d6b2
SHA1

178ffc6370c82966acff06f5b28132d9cb78fd6a
SHA256

2d4187af251d2617268f6cd938c0c051c95a71026936184f64419d7faf0b82bc
SHA512

74601fd303f2962643ec1cea5bd42b34350d0b8e63c69b32d8b38c1f801694236eb5af01be0ad59843427545ca047e9acf09b5ab6e7e2dd87c79fa79704d08c1
SSDEEP

1536:7HFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtn9/B1yP:7HFon3xSyRxvY3md+dWWZyn9/4

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	e97e498aed5d1051b758d56c1865d6b2_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2776	tmp9942.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2776	tmp9942.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp9942.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e97e498aed5d1051b758d56c1865d6b2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9942.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	e97e498aed5d1051b758d56c1865d6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	2776	tmp9942.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2328	2572	e97e498aed5d1051b758d56c1865d6b2_JaffaCakes118.exe	82
PID 2572 wrote to memory of 2328	2572	e97e498aed5d1051b758d56c1865d6b2_JaffaCakes118.exe	82
PID 2572 wrote to memory of 2328	2572	e97e498aed5d1051b758d56c1865d6b2_JaffaCakes118.exe	82
PID 2328 wrote to memory of 3284	2328	vbc.exe	84
PID 2328 wrote to memory of 3284	2328	vbc.exe	84
PID 2328 wrote to memory of 3284	2328	vbc.exe	84
PID 2572 wrote to memory of 2776	2572	e97e498aed5d1051b758d56c1865d6b2_JaffaCakes118.exe	85
PID 2572 wrote to memory of 2776	2572	e97e498aed5d1051b758d56c1865d6b2_JaffaCakes118.exe	85
PID 2572 wrote to memory of 2776	2572	e97e498aed5d1051b758d56c1865d6b2_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\e97e498aed5d1051b758d56c1865d6b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e97e498aed5d1051b758d56c1865d6b2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o4baexwc.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A0D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc241E25851C9D401C9D2DC51353629EA6.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3284
- C:\Users\Admin\AppData\Local\Temp\tmp9942.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9942.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e97e498aed5d1051b758d56c1865d6b2_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9A0D.tmp

Filesize
1KB

MD5
ac7dc49adaa84611e9e28d496dca2300

SHA1
90bcbb3732120aca9703c2d165e62a09e09a05a9

SHA256
aec21acb932c4e3251ac438de16ba7612f7f5ffe9837f56dc95adcd129c60a84

SHA512
ab7b9e0f8611d81381559b2b49456ae4985e58ab132ff9575d1bd97e77725498f02e5bf68041699ba5aea6f0f3b8e2949b444b75c50e463543634dd9b31ee0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\o4baexwc.0.vb

Filesize
15KB

MD5
cbee71f87233c68337c64545d6bd697a

SHA1
ad7904f649581e8a82425df7a1ed5bc5a206a313

SHA256
c79e788e319ea1312ff036b3923fa6115900e24fd57b6b102fa0c3353f600432

SHA512
48a825b48337c064607b85ca75d6c734688bdd0fbafc53296d2eb04c8f562f6a423185036982f01f52c9ac9f268227f912384ab04450035b6c6d14ef0f63a143

Download Submit
C:\Users\Admin\AppData\Local\Temp\o4baexwc.cmdline

Filesize
266B

MD5
a78b9bb3d1b1f12438d99904f24b014f

SHA1
74abe96f1250c7bf28284e3ea6d85a629ef468b0

SHA256
5b676467c55d7d60797975e10e55e6b1011efa7154026e43a1f9bda708cd11f4

SHA512
0dd8e35ea12a0b93b63506ddc114ee977ce309de293373782d857eadb2b465564e44cd9b5a9ef73de3f60bb4c2edebc2744d12a0395a5547ae2b26ded2b6e262

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9942.tmp.exe

Filesize
78KB

MD5
73148264dfc993cba334ebec6ecbe6a8

SHA1
dfd3befff8bbdf407209abd8f3ae9c204e0b8909

SHA256
fd19e6c5a02ed87a21035788dc8bd48bd5374efd7bff351a2d402be2543337a0

SHA512
aabdde3a6fcf0c94e71f37d89df1ad808205834221b56254851f130bc1a822b9c9408cd3ed9e0cbcb7ce73c9c153009365532def39d47b612cff85cf1671e7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc241E25851C9D401C9D2DC51353629EA6.TMP

Filesize
660B

MD5
18c0b1648d6432df58714ece125324fd

SHA1
6cdf01c3d7db6bb96a3125d4244cb62f5257eb32

SHA256
de21cdd81fffcd43ef6507caaa633080572a1b559c1383324bfb653652f759e1

SHA512
c6e889ec5aaaf2fac3df510e5ad3bbe64a987d562d8f4a36dbc50fa9d4fb63c987e79e170fdcd27af3bbeb227e610b3d0c5eba9ead904fc78d45ac2d7b082765

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2328-8-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/2328-18-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/2572-0-0x00000000748C2000-0x00000000748C3000-memory.dmp

Filesize
4KB

Download
memory/2572-2-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/2572-1-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/2572-22-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/2776-23-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/2776-25-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/2776-26-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/2776-27-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/2776-28-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/2776-29-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads