metamorpherrat | 5d23f5511df523696fc306d33e0f8d5178f7187330ec2e48e243c4d8b5b6bea9

General

Target

0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe
Size

78KB
MD5

0fe23976241b1c9e68c3a8ec5e395072
SHA1

a5c43b46c0fa5f27ee836e6d7662a77b911cf28e
SHA256

5d23f5511df523696fc306d33e0f8d5178f7187330ec2e48e243c4d8b5b6bea9
SHA512

930fa5d3635bc8cd57d390caa106a05f190e24e33672673d68e07fd7a2641cd3dad4a4e5f183e69c8848864033874ee5b65dfcc9c012c1c72f9587dbf6889378
SSDEEP

1536:FCHF3rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtw9/Q1aS:FCHFbdSE2EwR4uY41HyvYw9/U

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4140	tmp7F03.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp7F03.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7F03.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe
Token: SeDebugPrivilege	4140	tmp7F03.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 3228	2308	0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe	82
PID 2308 wrote to memory of 3228	2308	0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe	82
PID 2308 wrote to memory of 3228	2308	0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe	82
PID 3228 wrote to memory of 2300	3228	vbc.exe	84
PID 3228 wrote to memory of 2300	3228	vbc.exe	84
PID 3228 wrote to memory of 2300	3228	vbc.exe	84
PID 2308 wrote to memory of 4140	2308	0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe	85
PID 2308 wrote to memory of 4140	2308	0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe	85
PID 2308 wrote to memory of 4140	2308	0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tg6ichie.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES808A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7528FF29A5EE48E880CFC92AD5587CDD.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2300
- C:\Users\Admin\AppData\Local\Temp\tmp7F03.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7F03.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0fe23976241b1c9e68c3a8ec5e395072_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES808A.tmp

Filesize
1KB

MD5
473a854a64d4541102ee24b1602c944b

SHA1
18dfa1eae72c8e61cbfe76e0a83780be7454373b

SHA256
b93f86b8302448544fad8c83ec434f9737206038d935270c688783195b659c92

SHA512
96224dbff862b88b0e5db1a8d82a33d4ee05445f99218a96a77cab10bffd890ef7910c8fdc415dd22f36e206b9f00f0d7a341251c429c0ae52cd7e4e4b152032

Download Submit
C:\Users\Admin\AppData\Local\Temp\tg6ichie.0.vb

Filesize
15KB

MD5
efaadeb340a3449a042ae381d76d5af7

SHA1
3666fec927a7cb9bd94b58aaf4244b154a861b59

SHA256
06a15bd113035f0ab3e1be0a5f9891cc35072984eaf104f98eb2f8e2a5ed8632

SHA512
66ab43aeb00169ac396e21083fb4fc57cec615cb237322f9ddb5cc6cbdd6b918bab13f822ef29ae8c4c44ec7d46d2cbe71bf6d0fbd0106c24e890a8402e70a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\tg6ichie.cmdline

Filesize
266B

MD5
fed45876304408da6fcc0eb0da004012

SHA1
5e8da3d262ac3abc68879d59356d0eee81a34c6f

SHA256
d55521d37822848a5f5db00d5653b1f98ef51b3482628272c14272af5b103c40

SHA512
d72d6ac3660af18ea9c805c351e1b2dd3ba0686362f29c296995dd9480aeacfe0aa4b458689c08ec78213059994c1d14c1b684cfbdfc1c7fb6e06f44342c6f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7F03.tmp.exe

Filesize
78KB

MD5
d61cad32039c43f7e2d53008929320f1

SHA1
a4b52fa4782df4e769201dc8eedf895b54d9da86

SHA256
d8a474336068902216c82d14ce1d11f2b4a2d39c0598246143865ef615b97ac5

SHA512
7cd336a771bf2389684473e1f60d0c61f62a62e04009c5789524a32d1d2e92cac9a986a8ba257751bc89f5ca01c7b509633a5bbbeca02c8011cd1dad01d72a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7528FF29A5EE48E880CFC92AD5587CDD.TMP

Filesize
660B

MD5
b9a83166228a3daaaf604b9302741bb9

SHA1
552619300079783c0a73482823757a8c84ebe6dd

SHA256
055d061d73a296da6d8715fcb32b05d7959ebc23f2f58bb691a7a0a2afd2a81e

SHA512
e37f3850d3edcb53b2491ef1c1a959e4240f3bd657bf8375ee824b3474f529ea5fc5c9d341a61af6abb47505a74819ca9b44e1ac0f06b3c25d189a400858cf3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2308-22-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/2308-2-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/2308-1-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/2308-0-0x0000000074C12000-0x0000000074C13000-memory.dmp

Filesize
4KB

Download
memory/3228-8-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/3228-18-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/4140-23-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/4140-24-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/4140-26-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/4140-27-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download
memory/4140-28-0x0000000074C10000-0x00000000751C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads