metamorpherrat | 08f95054861648c4076c33d524cba402de0467762cf8f7e965ce26565afebb18

General

Target

1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe
Size

78KB
MD5

1f368df6f51473d7ef0ef21c9475923c
SHA1

96e0a4fcae3b756700b6786f4372cfbb2d256958
SHA256

08f95054861648c4076c33d524cba402de0467762cf8f7e965ce26565afebb18
SHA512

b2003c081888cfa4fb04cd67161859e1c272193aa020c4e51aeb20c8dac8dfc1ee8f786accc97220588297440b1749f10d3efd13ac2dd5db4a5aa1dde421f85c
SSDEEP

1536:ZRWV58bXT0XRhyRjVf3HaXOJR0zcEIvCZ1xjs9np/IPioYJbQti67I9/h1FE:ZRWV58bSyRxvHF5vCbxwpI6WjI9/e

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
4388	tmpB4C9.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4388	tmpB4C9.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\""	tmpB4C9.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB4C9.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe
Token: SeDebugPrivilege	4388	tmpB4C9.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 3336	2456	1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe	85
PID 2456 wrote to memory of 3336	2456	1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe	85
PID 2456 wrote to memory of 3336	2456	1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe	85
PID 3336 wrote to memory of 3092	3336	vbc.exe	88
PID 3336 wrote to memory of 3092	3336	vbc.exe	88
PID 3336 wrote to memory of 3092	3336	vbc.exe	88
PID 2456 wrote to memory of 4388	2456	1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe	89
PID 2456 wrote to memory of 4388	2456	1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe	89
PID 2456 wrote to memory of 4388	2456	1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w9tea_d8.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB71B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc28E4DAA868064B58B2B9DD49B06EC9E1.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3092
- C:\Users\Admin\AppData\Local\Temp\tmpB4C9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB4C9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB71B.tmp

Filesize
1KB

MD5
2f7a245b0c825631e0b2c3e449522f4a

SHA1
3f24a166dc1b2bb2e9f7770b514373ed67d93203

SHA256
362589aea6e822105a3d4d27e8a49ca5b960cd83a8f650634e212582d73fdc4e

SHA512
84978a0c1dd18a661fb9c440457eb156d71fd4af88703d7d8a368902015220469209939f2e83c0f0a59f2c5caa39a337cbdbb58aebc5342553a4bac8fd3b2315

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB4C9.tmp.exe

Filesize
78KB

MD5
47f8785b2f09e166c986e902d753f954

SHA1
5b5e2b5d88667d38511aa9ac7c0bc58e538b3e18

SHA256
bfd7d482b707d13dfe14a283d783b482d8dc643b056d92bf2eaacbadf2a9fd51

SHA512
0fefbb1cd11bf3e5791b3e4927b293fc65ec17a8ef9f96a155ae6e787e5700b252bc3004263af9f2a5dfc08575ec6a29d96809d7cf7f437c96d5a47dd8b86e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc28E4DAA868064B58B2B9DD49B06EC9E1.TMP

Filesize
660B

MD5
d0d953b0e257531819a1293526d40e34

SHA1
2e0eee39e6f253db843970305d142199ee1a02d6

SHA256
0704e9f6ac118ea51994e2ce195ce45456fe0c00a2bf459cabc699e4dabf735b

SHA512
70ce17c54d424eb4477415762c7b1848f4dfef5986e7a84f849b3437ea1d2006718edd49cc5c515c3300310de2e679008657fbd05dc7d1e22919b12d5f222a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\w9tea_d8.0.vb

Filesize
14KB

MD5
1e514cc47d98ef17098ee7860b2dcc8b

SHA1
f8f4d9b1715c7fb2cd3d0bdc62ec5b8e1fdfce5d

SHA256
9f8899745c9fa0951472940bec858d0f77f01b783e6cfb16cd10539ee5dbcada

SHA512
41027a1e15a8e10c114bf72a18448c22e89f2653f071eb33aaf435413a204faf69f5bce054496125b78d41fe6451f4b6eca71c435e4294255b10a2101650e91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\w9tea_d8.cmdline

Filesize
266B

MD5
c0558357f055d8e1e88a47883850ee7f

SHA1
07bdd991e671056f41d61964eb351e9114ead6b5

SHA256
7d193c866c6df14f5c10c9c88ede24d331f84325a7649495fc5ca17eeaf5993d

SHA512
e84f8958a324aedf69674ea063ffd4ca0da75e8b776f4afec09082f1c862c6c42cd0d3106769bf8321cf83dfa78e68ae1d5d67ecc123ae32447a1371ea164c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
097dd7d3902f824a3960ad33401b539f

SHA1
4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

SHA256
e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

SHA512
bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

Download Submit
memory/2456-1-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2456-2-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2456-0-0x00000000750D2000-0x00000000750D3000-memory.dmp

Filesize
4KB

Download
memory/2456-22-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/3336-9-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/3336-18-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4388-23-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4388-24-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4388-26-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4388-27-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4388-28-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4388-29-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4388-30-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads