metamorpherrat | 6be46a2cad469e031fd92c6b9ee9a0102de6c6966dd814c58af86ec546069ae3

General

Target

2ba82031a75392ef48c94df719b124e6_JaffaCakes118.exe
Size

78KB
MD5

2ba82031a75392ef48c94df719b124e6
SHA1

9417a2f223d0b4679f63c64f50a09b797560e15a
SHA256

6be46a2cad469e031fd92c6b9ee9a0102de6c6966dd814c58af86ec546069ae3
SHA512

8e831f341b94b47474457a3e20b4acd34703560019535df052184e31e080266289967859efc5cc6f905414dd592c0a52ecfa189833e92089b5fd133a65daf30f
SSDEEP

1536:APCHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtE9/0R1kt:APCHFoI3DJywQjDgTLopLwdCFJzE9/r

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Deletes itself 1 IoCs

pid	Process
2868	tmp7733.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2868	tmp7733.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2316	2ba82031a75392ef48c94df719b124e6_JaffaCakes118.exe
2316	2ba82031a75392ef48c94df719b124e6_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7733.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ba82031a75392ef48c94df719b124e6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	2ba82031a75392ef48c94df719b124e6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2836	2316	2ba82031a75392ef48c94df719b124e6_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2836	2316	2ba82031a75392ef48c94df719b124e6_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2836	2316	2ba82031a75392ef48c94df719b124e6_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2836	2316	2ba82031a75392ef48c94df719b124e6_JaffaCakes118.exe	30
PID 2836 wrote to memory of 2684	2836	vbc.exe	32
PID 2836 wrote to memory of 2684	2836	vbc.exe	32
PID 2836 wrote to memory of 2684	2836	vbc.exe	32
PID 2836 wrote to memory of 2684	2836	vbc.exe	32
PID 2316 wrote to memory of 2868	2316	2ba82031a75392ef48c94df719b124e6_JaffaCakes118.exe	33
PID 2316 wrote to memory of 2868	2316	2ba82031a75392ef48c94df719b124e6_JaffaCakes118.exe	33
PID 2316 wrote to memory of 2868	2316	2ba82031a75392ef48c94df719b124e6_JaffaCakes118.exe	33
PID 2316 wrote to memory of 2868	2316	2ba82031a75392ef48c94df719b124e6_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\2ba82031a75392ef48c94df719b124e6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ba82031a75392ef48c94df719b124e6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t7gfhk8h.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES787B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc787A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- C:\Users\Admin\AppData\Local\Temp\tmp7733.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7733.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2ba82031a75392ef48c94df719b124e6_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES787B.tmp

Filesize
1KB

MD5
342094e2db53c9d965561eec3e171b5a

SHA1
f7407a1ed3fa7ea8044a359e5f87558f486c5457

SHA256
58cb3562d3e7d646cf124e4a919379ef15f257abdc7c854f74f1d51b7c338e83

SHA512
399af826d60771831fb90a568e4edbe09b25efd055b837ba4d3649fe6c7b1f1e3a67f0a19dba9773a75cc199c46ec2a55e53e0e756050613523439618b4824b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\t7gfhk8h.0.vb

Filesize
15KB

MD5
d604ec40b584bbc4484efe8f7f5bf671

SHA1
91c6cc4d3ef870fd8f8520fe973da8f167d23474

SHA256
45ed4e6eedcacf7073a5379abcb7d73235b18f6f0a567b978846ac74bd90bd1d

SHA512
1c9af1c4dd98f6eda67875d9e372f62de79917ef3f02e9003478a8edc557123a5d593c9fd1333fa0aa72367099ec870d92e28b728ddaf1ff2fab0ebdcd859621

Download Submit
C:\Users\Admin\AppData\Local\Temp\t7gfhk8h.cmdline

Filesize
266B

MD5
c300e57f2bc7e4582a9c9296af0b9f2c

SHA1
cfefa2b9c8012ca684de0a8b881ff636973a5f7e

SHA256
151f268c8314011fa933d7dd879df441c67490cb4e74a2cbf90952808cbecb2c

SHA512
54e37bb03682712ffd7730caa63ed4d66e4b905fa7b76e743ed64ea5bcfb145f66561eab48c003f067e6efcf846a7e1b24935b3148e573d9f6d85bdcd0a3c83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7733.tmp.exe

Filesize
78KB

MD5
7e0bbd499b5dd59991728d6a316f3520

SHA1
4a25658fd198c7e74a6c44086b928a4e587465f8

SHA256
cc15f1e7be495226560fee43caca64dd51341dbf278e0a95c19c061847649835

SHA512
2d72842380242ecb4258ff385faeb976cf089c12fde7ff28daad18db1212fc47abfcebfa897ef3756761c591a0950bc2965000688cd4ced659d8b60e58ac7236

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc787A.tmp

Filesize
660B

MD5
9cc142dc58fe199190b82f9c500bd319

SHA1
6702e376c6dacf3eac2eb169e4d06709588f9679

SHA256
eca5919a306ad1bfc36378c23c26b005a0442cdd77eee06661c5f867fe203782

SHA512
ea2aa8d9c5c03afce37cb356a80eff12a19fae885352cfc1d02e3df5355585a3d7d69d421eb270d5a6cae67ad41fbbe0e782b938db367ccb428bb1db1c526c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2316-0-0x00000000749D1000-0x00000000749D2000-memory.dmp

Filesize
4KB

Download
memory/2316-1-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-2-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-24-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2836-8-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2836-18-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing