metamorpherrat | ab00d908e860746759c34a2727516c05d0208c3bbeee3a7c9d59c2eace36ce02

General

Target

3e5c938ad6302c14b1f7c6797a3eb2be_JaffaCakes118.exe
Size

78KB
MD5

3e5c938ad6302c14b1f7c6797a3eb2be
SHA1

2f46ad2960e5f2f1c09ca91b75c36b772dc1eedf
SHA256

ab00d908e860746759c34a2727516c05d0208c3bbeee3a7c9d59c2eace36ce02
SHA512

6385e2a41549c0df9ff95d7e7b6327873a713d54466dc069103f3b378f1ce1f63b3fd3766c8c80701495fe8fd6b63073b5a7f95cc206ef054eabb7c4548c0b94
SSDEEP

1536:jRCHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtek9/G1tL:jRCHF8hASyRxvhTzXPvCbW2Uek9/O

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Deletes itself 1 IoCs

pid	Process
2508	tmpCA8F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2508	tmpCA8F.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2172	3e5c938ad6302c14b1f7c6797a3eb2be_JaffaCakes118.exe
2172	3e5c938ad6302c14b1f7c6797a3eb2be_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpCA8F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e5c938ad6302c14b1f7c6797a3eb2be_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCA8F.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	3e5c938ad6302c14b1f7c6797a3eb2be_JaffaCakes118.exe
Token: SeDebugPrivilege	2508	tmpCA8F.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2404	2172	3e5c938ad6302c14b1f7c6797a3eb2be_JaffaCakes118.exe	30
PID 2172 wrote to memory of 2404	2172	3e5c938ad6302c14b1f7c6797a3eb2be_JaffaCakes118.exe	30
PID 2172 wrote to memory of 2404	2172	3e5c938ad6302c14b1f7c6797a3eb2be_JaffaCakes118.exe	30
PID 2172 wrote to memory of 2404	2172	3e5c938ad6302c14b1f7c6797a3eb2be_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2520	2404	vbc.exe	32
PID 2404 wrote to memory of 2520	2404	vbc.exe	32
PID 2404 wrote to memory of 2520	2404	vbc.exe	32
PID 2404 wrote to memory of 2520	2404	vbc.exe	32
PID 2172 wrote to memory of 2508	2172	3e5c938ad6302c14b1f7c6797a3eb2be_JaffaCakes118.exe	33
PID 2172 wrote to memory of 2508	2172	3e5c938ad6302c14b1f7c6797a3eb2be_JaffaCakes118.exe	33
PID 2172 wrote to memory of 2508	2172	3e5c938ad6302c14b1f7c6797a3eb2be_JaffaCakes118.exe	33
PID 2172 wrote to memory of 2508	2172	3e5c938ad6302c14b1f7c6797a3eb2be_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\3e5c938ad6302c14b1f7c6797a3eb2be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e5c938ad6302c14b1f7c6797a3eb2be_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v69qe7hj.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBC8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCBC7.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2520
- C:\Users\Admin\AppData\Local\Temp\tmpCA8F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCA8F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3e5c938ad6302c14b1f7c6797a3eb2be_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCBC8.tmp

Filesize
1KB

MD5
cbaec6f13f719975298d9a9a003a73ae

SHA1
9685b802eb2627b567c071ab290339dd5ffbe26d

SHA256
c4b6c382207f16f5b285f3fa38cc44d98f9c86fc4dd8cbce360780603712cfbc

SHA512
ffae8074208430b863dfd060328d17ffe5c41f75d5c70852d3ea3faf3157d7e8d591f0d27cbf5da46acabd99f1b2ce087d6e1fbdbfc12e0b719d3462c46c6c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCA8F.tmp.exe

Filesize
78KB

MD5
0b3c795427ea397218e0aa5c657be080

SHA1
3b19b233e09f61888c0a83006a051aef957a1e05

SHA256
7e7ef22703c9592709cb56d9d9f5b86d5a1d4d20091513ec3ed77b9ad94c544e

SHA512
386ecd81c0e032e5767b9402fffeb6cd05e3887f1808a097ba1111fd01598c9e0c542d129313b80c4fe0742985ba42fada62ce5a0bffccf25d91d47dcfc8bf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\v69qe7hj.0.vb

Filesize
15KB

MD5
dae5504b44cf692ef456540a3f65e732

SHA1
b6938372f022dba753235bda3c010c72b36124fc

SHA256
ceca6037303c4c02e28b249d7eb0adda2e75cd7c059cb130efe7c62c00ee11d0

SHA512
884a6ea4eb83980c83eccca9d3d81a67867aedf1c4274e11e857d592e19c780fb015ad0aac1c44c2be306088f39dfbab67add5d7cee027cf989246701eff8192

Download Submit
C:\Users\Admin\AppData\Local\Temp\v69qe7hj.cmdline

Filesize
266B

MD5
1d3d0c05552347172c4d72c943942912

SHA1
fea35a9f13d302de1f2e402846f1d36515576a6a

SHA256
4873b4ad3f09071d94fc429ba0b16069680976f2d68f9be08a63da7e253b51c0

SHA512
4434646839d2df578d735874034d94efef642967b204c5250ea0a6b6e10ce0e6575f45cd2b0d7a9e225598a81726a050894869651648ff08a3a476f6866b11e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCBC7.tmp

Filesize
660B

MD5
2bc2ee70f6e9e69f945e113d397f9c43

SHA1
8e8cd080addf3b6130cc7107bd9199419ddfefc7

SHA256
4f826ccb364198cace53d66a83709687ed8e246ce9cdec4c974ffc5e12d5259a

SHA512
b0b4138a69b424f9d1f3e1f16944872102c36b804342a56fbe96cf7a629299e117fa4010932df437917a77c8a54dc1e7dd3f1ba6d72aff38fdc03b3a1dd7a5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2172-0-0x0000000074081000-0x0000000074082000-memory.dmp

Filesize
4KB

Download
memory/2172-1-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2172-2-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2172-23-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2404-8-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/2404-18-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads