metamorpherrat | 22f0ab8a4c6ab2479f6b7d2e7061404cedd344377a41f06bfb5c247aadc3cd00

General

Target

18a26b26496327a38ec522546064728c_JaffaCakes118.exe
Size

78KB
MD5

18a26b26496327a38ec522546064728c
SHA1

f8d221536a963ffe18bb8755a5b706978a693969
SHA256

22f0ab8a4c6ab2479f6b7d2e7061404cedd344377a41f06bfb5c247aadc3cd00
SHA512

2dae0366d9e4e88f61265db1354eb654cf31615af5f568f90be45cfa528971fc7cfc21bc0096db558444c60473045e71ed8203bd1a738606a014de801bd85e2c
SSDEEP

1536:GStHHJIdXT0XRhyRjVf3HaXOJR0zcEIvCZ1xjs9np/IPioYJbQt8O9/041je:GStHpINSyRxvHF5vCbxwpI6W8O9/07

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2768	tmp81BD.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2992	18a26b26496327a38ec522546064728c_JaffaCakes118.exe
2992	18a26b26496327a38ec522546064728c_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\""	tmp81BD.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18a26b26496327a38ec522546064728c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp81BD.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	18a26b26496327a38ec522546064728c_JaffaCakes118.exe
Token: SeDebugPrivilege	2768	tmp81BD.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 3052	2992	18a26b26496327a38ec522546064728c_JaffaCakes118.exe	30
PID 2992 wrote to memory of 3052	2992	18a26b26496327a38ec522546064728c_JaffaCakes118.exe	30
PID 2992 wrote to memory of 3052	2992	18a26b26496327a38ec522546064728c_JaffaCakes118.exe	30
PID 2992 wrote to memory of 3052	2992	18a26b26496327a38ec522546064728c_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2144	3052	vbc.exe	32
PID 3052 wrote to memory of 2144	3052	vbc.exe	32
PID 3052 wrote to memory of 2144	3052	vbc.exe	32
PID 3052 wrote to memory of 2144	3052	vbc.exe	32
PID 2992 wrote to memory of 2768	2992	18a26b26496327a38ec522546064728c_JaffaCakes118.exe	33
PID 2992 wrote to memory of 2768	2992	18a26b26496327a38ec522546064728c_JaffaCakes118.exe	33
PID 2992 wrote to memory of 2768	2992	18a26b26496327a38ec522546064728c_JaffaCakes118.exe	33
PID 2992 wrote to memory of 2768	2992	18a26b26496327a38ec522546064728c_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\18a26b26496327a38ec522546064728c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18a26b26496327a38ec522546064728c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rrn5bq3v.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8547.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8546.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2144
- C:\Users\Admin\AppData\Local\Temp\tmp81BD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp81BD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\18a26b26496327a38ec522546064728c_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8547.tmp

Filesize
1KB

MD5
d3d2881428eb07a0bc9f690f2191150c

SHA1
5e8708bfedf242e7cc20b983fb2acf79b43b8afe

SHA256
c442b164a99eacc5e67c2ce530dde2a348c50ddb66f30b713ee525949bd67337

SHA512
d045f4d1207c088daa622f24bc03867b5653eae5077b050b6cf4e0c21df307a1ef8ae2809dac46bdd3fe09f83d052b4db10032aa121e5ece7fe4cf673fe9ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrn5bq3v.0.vb

Filesize
15KB

MD5
bdc39c632470c9d0ff3f4da511ca8d9c

SHA1
380cce4d1d188d4d0216bc342b6f41df383fd683

SHA256
d884590f69932d1a842cdb9bf6a0d2d80e639a4eca187d49c6e8df505159a45a

SHA512
5cd0b40a1330a473ece8da0c3ade96bdb5eb41df386b91ca87d96ee15a7d4701288bde9c7ffbd15aa4b2bae272bbeb080c147fa0b248b1a701d06160293f8b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrn5bq3v.cmdline

Filesize
266B

MD5
c68e67554a47fb653d8feae8e3208dcb

SHA1
461c97c6295024f8ad8f4e7307aba49f95eb4f33

SHA256
4821d80bba3910ccb72c3f0832bd89a85d72335d53a73e1b5f422039e35e79c2

SHA512
14401b864f0e4b7dae60c9718eea9dfd96b37f95f9b0f7fa157335a59004a0af66c789615ca33ec70681429510d5bafbe8f3885e5f2759ba53118465cbf82e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp81BD.tmp.exe

Filesize
78KB

MD5
0c2ced7c081bbe1f14d774838798d1f4

SHA1
340ddd286a8ec729df9011fc8914fe1fe6ef8d73

SHA256
0d6f471743110811d6a15708853f20f24b19fad90ae840508399090572353951

SHA512
cdc00ad569fd491ca2409c61b24f213167a10ee80a73b5474af50613e781bc75eb43074817dabf56454d5efa2a655480714d0f5e0aa94601d84dbfa5107a6cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8546.tmp

Filesize
660B

MD5
7545f12db0b0ee160e7a4ab92fb3d5be

SHA1
5d9dc292252fa282a08070166a0f1646a4a0a770

SHA256
21423c12e4e1809ca57e044fdcce9b74a221526e2374ddb924ed630a4191b36b

SHA512
95d50414bcf00e713ab86d0f3e1d2d45db1d3bd0d07e7e7c7dd1af6e667ff57b5ce8d869ed14540b5f6b05cff65532d096f2fea56e1e9b9e047987561c97c9c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
097dd7d3902f824a3960ad33401b539f

SHA1
4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

SHA256
e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

SHA512
bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

Download Submit
memory/2992-0-0x0000000074AF1000-0x0000000074AF2000-memory.dmp

Filesize
4KB

Download
memory/2992-1-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/2992-2-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/2992-24-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/3052-8-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/3052-18-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads