metamorpherrat | 7f5f519bc85e882918fe9da7d11426e0a5345812b69f020c35c4348c1216c000

General

Target

302e22aaa09a1ea11233a1c5ac324498_JaffaCakes118.exe
Size

78KB
MD5

302e22aaa09a1ea11233a1c5ac324498
SHA1

d053171c38d6a9c199ca0ca98d5614c033bf0294
SHA256

7f5f519bc85e882918fe9da7d11426e0a5345812b69f020c35c4348c1216c000
SHA512

438359d01ecbfe6a8a3eaaf9f0c3678c22756a105a4e7fc0f35cfc3b18c5795616157fa87ebc5ca2b0b41cf56fff5fd5894270cea60c760b5c183fb4bc2ecdad
SSDEEP

1536:2ouHF3uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtMH9/H1r:5uHFP3ZAtWDDILJLovbicqOq3o+nMH9x

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	302e22aaa09a1ea11233a1c5ac324498_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3168	tmpAB24.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpAB24.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAB24.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	302e22aaa09a1ea11233a1c5ac324498_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	302e22aaa09a1ea11233a1c5ac324498_JaffaCakes118.exe
Token: SeDebugPrivilege	3168	tmpAB24.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 5096	4608	302e22aaa09a1ea11233a1c5ac324498_JaffaCakes118.exe	86
PID 4608 wrote to memory of 5096	4608	302e22aaa09a1ea11233a1c5ac324498_JaffaCakes118.exe	86
PID 4608 wrote to memory of 5096	4608	302e22aaa09a1ea11233a1c5ac324498_JaffaCakes118.exe	86
PID 5096 wrote to memory of 4180	5096	vbc.exe	88
PID 5096 wrote to memory of 4180	5096	vbc.exe	88
PID 5096 wrote to memory of 4180	5096	vbc.exe	88
PID 4608 wrote to memory of 3168	4608	302e22aaa09a1ea11233a1c5ac324498_JaffaCakes118.exe	89
PID 4608 wrote to memory of 3168	4608	302e22aaa09a1ea11233a1c5ac324498_JaffaCakes118.exe	89
PID 4608 wrote to memory of 3168	4608	302e22aaa09a1ea11233a1c5ac324498_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\302e22aaa09a1ea11233a1c5ac324498_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\302e22aaa09a1ea11233a1c5ac324498_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5c456zbp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD18.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA92415054B64F79BAF557CD0A3C07E.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4180
- C:\Users\Admin\AppData\Local\Temp\tmpAB24.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAB24.tmp.exe" C:\Users\Admin\AppData\Local\Temp\302e22aaa09a1ea11233a1c5ac324498_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5c456zbp.0.vb

Filesize
15KB

MD5
bfbffd16e64bba6df1208978453cc872

SHA1
bf98b47879677e038e3184847bfb27a77d54652f

SHA256
22de05f0232c20d20f7dec22179e38fc836f9e9b1657825cafbaf86919f1eefd

SHA512
91bee50c4ded2a084ce38bd8dad223fdd937521b76740bc6890960661d9b2cddafcc979e25429f91cab4dc2047fff51af70fb0858b45744711f9d7524920a93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c456zbp.cmdline

Filesize
266B

MD5
dc740513c24c949a03a851ac6a0dfe48

SHA1
a628cb5e3a5eb3da81707805912366061e36f6ff

SHA256
ba82d778fe36ef30db33ec572c6f564e3c3217452ff665e8e688df0a831738c3

SHA512
a33bcd806342fbcce76660bf5f93364581b323d77c047c290b3c390ae2cdc813a3ea6527037d4ed830479ab9c678c582e84e769cc3508c948d4883a5166900c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAD18.tmp

Filesize
1KB

MD5
5b48e3dd8263832da09813a1835681f1

SHA1
0db88808f9c563ce4b5222b00af0e0d32146fc93

SHA256
f68545cb3e62fedb5c5aa817e7760cfb65d614e4415fc46a84e3f09b75427e89

SHA512
afbdf926d74c736115df8b42091c565f05ff7c461d5578890dccf87b09a184d04bbe7ddb3084727c3d1a59fe9118df4e568a13263735dc9c499f11498fc6a944

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAB24.tmp.exe

Filesize
78KB

MD5
e07c1777eb9181561f4e69ce43661a86

SHA1
3e09f1f375025114ed8b98dff178f6e1e765b091

SHA256
64f168a49c8ebec671ba31cca7c27c17c4dc618aa1989d630a36a6c2ab69f6c3

SHA512
99a350a321e398afe5603d78cab72d7d8901f89863ce2153f15bcccf731bffc6db09f2b1e368cb0375123ddef11198684962e0edb12c5af01bfe6b788dc40fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA92415054B64F79BAF557CD0A3C07E.TMP

Filesize
660B

MD5
ddb7089e247f88db00a3c28e8da0405f

SHA1
5218167cbf2042e17292199befadca54d6964a44

SHA256
535b2dd68204128bb9933baed8e5dd5faca833ff695d3e32917921086c8244ae

SHA512
c7992b0a99902413caaa1fe31a2a51c10d0cad04819ef92e8e6afaa6af4957c88a8ff05c72bf6d72e38d2821338fc909e47cc861118543ea72b271479db00abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/3168-23-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/3168-24-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/3168-25-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/3168-26-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/3168-27-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/4608-2-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/4608-1-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/4608-22-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/4608-0-0x0000000074CC2000-0x0000000074CC3000-memory.dmp

Filesize
4KB

Download
memory/5096-8-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/5096-18-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads