metamorpherrat | 8cebb5246a4dfe46ebf08a8ff341a665da0eaf9a0247787bb7168f5a9382cab2

General

Target

43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe
Size

78KB
MD5

43148c76e6cb04dd497ad40d5056ec41
SHA1

c3649e17f7150d07592c8279c7a395cbefdb1d5e
SHA256

8cebb5246a4dfe46ebf08a8ff341a665da0eaf9a0247787bb7168f5a9382cab2
SHA512

267a928a0ae3d36739b9bb471ee389abb0069dc5f2e7c29b014973c73c1940c91f6d4c191b981c5c3e928768cce8deb19ec6f08363fbb23930796a6d16e8dd98
SSDEEP

1536:DPCHFo6JIdXT0XRhyRjVf3HaXOJR0zcEIvCZ1xjs9np/IPioYJbQti9//31xf:DPCHFoOINSyRxvHF5vCbxwpI6Wi9//j

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Deletes itself 1 IoCs

pid	Process
2244	tmpD50B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2244	tmpD50B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2292	43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe
2292	43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\""	tmpD50B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD50B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe
Token: SeDebugPrivilege	2244	tmpD50B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 484	2292	43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe	31
PID 2292 wrote to memory of 484	2292	43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe	31
PID 2292 wrote to memory of 484	2292	43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe	31
PID 2292 wrote to memory of 484	2292	43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe	31
PID 484 wrote to memory of 768	484	vbc.exe	33
PID 484 wrote to memory of 768	484	vbc.exe	33
PID 484 wrote to memory of 768	484	vbc.exe	33
PID 484 wrote to memory of 768	484	vbc.exe	33
PID 2292 wrote to memory of 2244	2292	43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe	34
PID 2292 wrote to memory of 2244	2292	43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe	34
PID 2292 wrote to memory of 2244	2292	43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe	34
PID 2292 wrote to memory of 2244	2292	43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rjnzwoin.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD77C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD77B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:768
- C:\Users\Admin\AppData\Local\Temp\tmpD50B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD50B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD77C.tmp

Filesize
1KB

MD5
744e42296c96987ca6c03c73c2182b5d

SHA1
8a30501eb339b5487f7b547eb7c48616174ef210

SHA256
017d54eb89928e1e86785ea54b3dd528b9a4e1d1c185bff63465f20caed799bb

SHA512
bb9fac7d14dfcf8a388c07dffce3717c14ba6f39f41b8db5679ac388968535602273626b526165093de4d433ce9f7e05f1df10a9a4b6a6040b6ae05d3bb3e30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjnzwoin.0.vb

Filesize
15KB

MD5
4af8c949d42c58ef20733aa455194510

SHA1
c768cbb72248f38ae3367528d718ef678f079e90

SHA256
216a6264afda4ed3001564f5c1e2b5f798a51d3afaad30118df7bccaa532cd7d

SHA512
b5731863302ac3ad09f7a26af088ff16d6cead62385523faa06cd4e79f1a2d0a46fb32b223b7805691bb995af8c8288fd5cbc0bb8483cc774da74481ef98a187

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjnzwoin.cmdline

Filesize
266B

MD5
62fb6936cad1c6ee3575103de4adc8e5

SHA1
368da4377e08629d49b3f9c4134c7b8ec2134367

SHA256
2293a9e5db0c7b1cfb06c13821bb49f53e2da1cfac72a24e237416386a2e69a2

SHA512
e54fa1c829baf5d491becd0bbf6c617ce12ceb690e1eb8281dec7268504ed27172598e76e74102da7169aff633475a3d717a3388e668e153992206584514ed66

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD50B.tmp.exe

Filesize
78KB

MD5
a35196e3f4ea4ced50d6dbab792d1515

SHA1
5217300c290132727d71002996b2051a9f6d8ca0

SHA256
1400f6ac62a5576bcf1ed2659342b83b9407818fe0a981e77136a2c3039c6166

SHA512
c17f02285d8aca914934d83d5fe7fc510cb4ab15c142c76acd988ddcdeb88edcfacfc91afd4d9b18a17963b5009a312bb0bf494d3166286472e305616ed1ae8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD77B.tmp

Filesize
660B

MD5
0a9e1930b8d87d73cbb148776a550d8d

SHA1
434e41ffa197e2564e8e585beb7b5c5845ed3255

SHA256
aee77f998f681631c85a2761d0ff2153913559e6ff211af45f326e44cbc9b205

SHA512
30d2f28dc87367c503d278453941e6f272fca038d166a2127bd4f52133dc3cac60abb8207e96858746b277b5957f929b9adc8d3b833075156314c595960ad522

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
097dd7d3902f824a3960ad33401b539f

SHA1
4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

SHA256
e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

SHA512
bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

Download Submit
memory/484-8-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/484-18-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2292-0-0x0000000074A31000-0x0000000074A32000-memory.dmp

Filesize
4KB

Download
memory/2292-1-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2292-2-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2292-23-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads