metamorpherrat | 5d23f5511df523696fc306d33e0f8d5178f7187330ec2e48e243c4d8b5b6bea9

General

Target

0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe
Size

78KB
MD5

0fe23976241b1c9e68c3a8ec5e395072
SHA1

a5c43b46c0fa5f27ee836e6d7662a77b911cf28e
SHA256

5d23f5511df523696fc306d33e0f8d5178f7187330ec2e48e243c4d8b5b6bea9
SHA512

930fa5d3635bc8cd57d390caa106a05f190e24e33672673d68e07fd7a2641cd3dad4a4e5f183e69c8848864033874ee5b65dfcc9c012c1c72f9587dbf6889378
SSDEEP

1536:FCHF3rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtw9/Q1aS:FCHFbdSE2EwR4uY41HyvYw9/U

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2476	tmp4A78.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2908	0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe
2908	0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp4A78.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4A78.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe
Token: SeDebugPrivilege	2476	tmp4A78.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2608	2908	0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2608	2908	0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2608	2908	0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2608	2908	0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe	30
PID 2608 wrote to memory of 2620	2608	vbc.exe	32
PID 2608 wrote to memory of 2620	2608	vbc.exe	32
PID 2608 wrote to memory of 2620	2608	vbc.exe	32
PID 2608 wrote to memory of 2620	2608	vbc.exe	32
PID 2908 wrote to memory of 2476	2908	0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe	33
PID 2908 wrote to memory of 2476	2908	0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe	33
PID 2908 wrote to memory of 2476	2908	0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe	33
PID 2908 wrote to memory of 2476	2908	0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wzkuxhdw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E11.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4E10.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2620
- C:\Users\Admin\AppData\Local\Temp\tmp4A78.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4A78.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4E11.tmp

Filesize
1KB

MD5
4a1a27cc00e8e5ebd3c2be0cb40335cc

SHA1
5d2a83eb16a21419b630fcaa15d06675d7c87825

SHA256
48bb58fe6feebb4a46e3dc4a5e5802f12fec8ca332cf794c0d62f38356ba33b6

SHA512
b3fa2a2903ec5adecf7d99e2e6f6238b38bc780ab4cf362e729565ee43abe5e4760a66d225a3fdb9f4667dbf687d3e713de454bee02b9ed8cc4a246fbf7c83a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4A78.tmp.exe

Filesize
78KB

MD5
131b5c013e6c4306474939b6554f3539

SHA1
2a608172edf160a83af47a0ce73c42eed9cde7bb

SHA256
72c004ffc95282226d047493761f55ecdcf08fcf6b0a04d7d3c487602f251c51

SHA512
76dfae1300788b14d369e86831b20a01059c049b2e83d90bc2c85613c698b7444710e6db63ace5a73051f768b20d1d89942383daa1cd2200c7d5f7d1ef921788

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4E10.tmp

Filesize
660B

MD5
5dda6bc1a30e89fa111c75ba3c8655b4

SHA1
ae0238cbb8d8d7b9191339d7f7cad36711b3d1c2

SHA256
2c15c4b6692119c18e72b8db60448503d7b99d26e15e5e9079c5b6eaf2b11905

SHA512
15e10ef44867d52f2688b888c6d64f96e3c5d8141755daa8e9e90372c35b32b0213f2ff971154100ed52bba218c9796909984dbd3d621cae4ef6519a71244b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzkuxhdw.0.vb

Filesize
15KB

MD5
748f8b1abb859fd91092a985864c324a

SHA1
3d44afce2dd61759ccb0243a6e7fd72baeab26de

SHA256
4510802340c0de3bc41494640b0251cfb4193d1efc7f0218b9f7070b3886e7fa

SHA512
712a7de641bd088e6822b3be47d244f6c4817533e2650a37bcb5ebaf3afda74e333b0928aeb241b663d537d1e9ec4f7da7a24ddc6db97066fe32b5c67744b003

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzkuxhdw.cmdline

Filesize
266B

MD5
44d33d8a6c5eea9770bf8858f4d48e15

SHA1
ec34076aa0b3c1763c5db0181f1659917800b7c6

SHA256
932135c5d5c43330967fe23063ffef7930783fd7b5125eeb0b91c828d8d0dce4

SHA512
10482b85554ed1f3fffecd5f4af6b3d233baad2a649c7484b5852813143e6210f6e5cecd7133fae4f2aab492b07a02feb9255d611ddbab47b966462f3714c8fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2608-8-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-18-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/2908-0-0x0000000074FB1000-0x0000000074FB2000-memory.dmp

Filesize
4KB

Download
memory/2908-1-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/2908-2-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/2908-24-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads