metamorpherrat | 2b63a16f35062c14e35d9de5865ca84a06f9621481a62e761669439e0f0ebcd2

General

Target

3f3cf1daafd7fd83c2d1805645194e69_JaffaCakes118.exe
Size

78KB
MD5

3f3cf1daafd7fd83c2d1805645194e69
SHA1

73ace58bc17161762d5a573cfcd08c03e11e2183
SHA256

2b63a16f35062c14e35d9de5865ca84a06f9621481a62e761669439e0f0ebcd2
SHA512

e3a00444779c531469e9cc2de2eb297853089a055b5348a45efb1beb47ef82a04fb67195df1af00cfab79b184272505b9c04d704fa9678a881efaa9f5645dbc0
SSDEEP

1536:fuHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQte399/X1G6:fuHY53Ln7N041Qqhge399/D

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	3f3cf1daafd7fd83c2d1805645194e69_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3180	tmpD409.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpD409.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD409.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f3cf1daafd7fd83c2d1805645194e69_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1272	3f3cf1daafd7fd83c2d1805645194e69_JaffaCakes118.exe
Token: SeDebugPrivilege	3180	tmpD409.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 60	1272	3f3cf1daafd7fd83c2d1805645194e69_JaffaCakes118.exe	86
PID 1272 wrote to memory of 60	1272	3f3cf1daafd7fd83c2d1805645194e69_JaffaCakes118.exe	86
PID 1272 wrote to memory of 60	1272	3f3cf1daafd7fd83c2d1805645194e69_JaffaCakes118.exe	86
PID 60 wrote to memory of 3920	60	vbc.exe	88
PID 60 wrote to memory of 3920	60	vbc.exe	88
PID 60 wrote to memory of 3920	60	vbc.exe	88
PID 1272 wrote to memory of 3180	1272	3f3cf1daafd7fd83c2d1805645194e69_JaffaCakes118.exe	89
PID 1272 wrote to memory of 3180	1272	3f3cf1daafd7fd83c2d1805645194e69_JaffaCakes118.exe	89
PID 1272 wrote to memory of 3180	1272	3f3cf1daafd7fd83c2d1805645194e69_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\3f3cf1daafd7fd83c2d1805645194e69_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f3cf1daafd7fd83c2d1805645194e69_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qpssqovl.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD503.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF597A92F19234C6DB785D077472BC186.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3920
- C:\Users\Admin\AppData\Local\Temp\tmpD409.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD409.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3f3cf1daafd7fd83c2d1805645194e69_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD503.tmp

Filesize
1KB

MD5
7636eafac03dda687045f14e343db6f1

SHA1
9aa39ba269bb74b8cb6fd369f856e42cd5e82299

SHA256
5eed1ed0141060bf2ba8b504d206783c20599a86b51186e666039f09a9d6995c

SHA512
976dd06fba6dba8e6c8277993950f6f50e26b88acd81a5197abac9e0b17a0adc35e7f77b95661e49ec384b01e2dd37eb6e5f01d12ed3cb916903f8601025e250

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpssqovl.0.vb

Filesize
15KB

MD5
aee3af3ddbbf4c7271942fd759607da5

SHA1
f0276c933ee6d543a6c2d9102f3374dddac6b3ba

SHA256
501320ee05a30dee5ec70f05190743f78512cc08ccff6e76745ea79be55eb2a9

SHA512
8aee086ecd1d3f65287c91ffa5eed5200c20f5bb0a4e64421da62e953de25834a66757a625238f68e295a56da233fc61baef303461f335883bfb9ccc802ce9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpssqovl.cmdline

Filesize
266B

MD5
72c544dee577601d30b3ac5da1bf94cd

SHA1
e16e7d3133070e40a11fb69502da261f3b6ec952

SHA256
75f909a59094b6ae5c91f1f58c797d2aa7be909066603f2f5440e825e9584509

SHA512
8a0bb092a507a37d765aa6a028a5c70276a7a99a13937a50b413cce48ef09b0041400d594d456717b8ae157b1bc5bcf96e3806aee05540311ec8cf7ab3ea4504

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD409.tmp.exe

Filesize
78KB

MD5
f522c21dc2e42de81dbb723f94acb638

SHA1
36ac3d3eabaf56495d66dcdb40c78d5966882673

SHA256
ffcac181c26397432cac0b3d390313d733f492e4c076651463451d3966575189

SHA512
00dbdd11a4466ca524bc1203a61e104632061aa1fd668668ec049bc5b4a9733ce40afd41172f95f20cc8bf3ced0bc521e3c57499ddeb0d354615e18d2c142de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF597A92F19234C6DB785D077472BC186.TMP

Filesize
660B

MD5
73f2844369241f19e5ce3c0cebd8a974

SHA1
c73987be47c311f911da2f1f79cbe01e8e745d4a

SHA256
252369a9b5570279ffb8342ba981849ef47b4039b4b481155b2d3ce6ab4fcd65

SHA512
4e83b94317c806972f036fd9554d09921306a9aa6fd2717897d317832dfd6110bf613fca12db416c68db0742b63e343504b5857ac8feec358246234b1ba9458c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/60-18-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/60-8-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/1272-22-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/1272-1-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/1272-0-0x0000000075552000-0x0000000075553000-memory.dmp

Filesize
4KB

Download
memory/1272-2-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3180-23-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3180-24-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3180-25-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3180-27-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3180-28-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3180-29-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3180-30-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3180-31-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads