metamorpherrat | 8cebb5246a4dfe46ebf08a8ff341a665da0eaf9a0247787bb7168f5a9382cab2

General

Target

43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe
Size

78KB
MD5

43148c76e6cb04dd497ad40d5056ec41
SHA1

c3649e17f7150d07592c8279c7a395cbefdb1d5e
SHA256

8cebb5246a4dfe46ebf08a8ff341a665da0eaf9a0247787bb7168f5a9382cab2
SHA512

267a928a0ae3d36739b9bb471ee389abb0069dc5f2e7c29b014973c73c1940c91f6d4c191b981c5c3e928768cce8deb19ec6f08363fbb23930796a6d16e8dd98
SSDEEP

1536:DPCHFo6JIdXT0XRhyRjVf3HaXOJR0zcEIvCZ1xjs9np/IPioYJbQti9//31xf:DPCHFoOINSyRxvHF5vCbxwpI6Wi9//j

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
4960	tmpBA09.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4960	tmpBA09.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\""	tmpBA09.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBA09.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe
Token: SeDebugPrivilege	4960	tmpBA09.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 5036	4996	43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe	85
PID 4996 wrote to memory of 5036	4996	43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe	85
PID 4996 wrote to memory of 5036	4996	43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe	85
PID 5036 wrote to memory of 3840	5036	vbc.exe	88
PID 5036 wrote to memory of 3840	5036	vbc.exe	88
PID 5036 wrote to memory of 3840	5036	vbc.exe	88
PID 4996 wrote to memory of 4960	4996	43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe	90
PID 4996 wrote to memory of 4960	4996	43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe	90
PID 4996 wrote to memory of 4960	4996	43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i9vcp9rl.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAC4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc22535237829443E0B9D8A6CFD73083F2.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3840
- C:\Users\Admin\AppData\Local\Temp\tmpBA09.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBA09.tmp.exe" C:\Users\Admin\AppData\Local\Temp\43148c76e6cb04dd497ad40d5056ec41_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBAC4.tmp

Filesize
1KB

MD5
ba141464dcbe9e2f395f719d31232b70

SHA1
48c7b6e982c7a8aefc1e0745e360d50e65136334

SHA256
ae6f79e93a5816935498f53863ebf460df044bdef2deb0b38ee42ce0b362a9fe

SHA512
28ed7462faa735431a6ebf3689269f64866539dbc0087f85139a3f90c39413e033f72feda451c21692d81c98937000d7989469cbeb62feb63dd909e64262db3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\i9vcp9rl.0.vb

Filesize
15KB

MD5
2365656b841d07dc1e55577a0a929119

SHA1
67c02ff7327a834b957ce0d4ef610dd807bf180e

SHA256
f201efdb9f04aacc2d9699bce1f807211c51d4437e67bd5febdbeedb63f4803c

SHA512
84cb9260b3623696736c8e6f97d325ec5d6835691ea575b085762d5db600a8fc41088757a9fc2e515330a4c3718b7b5a37fc31e2b353aefdde79222ae2a6b8f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\i9vcp9rl.cmdline

Filesize
266B

MD5
57eee95bccf2997202f539c6d5d01929

SHA1
c99a8490ae011881336987d3280899abcbd8a3b8

SHA256
43a465449c599fc0193924ba0a84dcbc307fb996e14c035494f2c6a952b3e395

SHA512
ea9fc550d0e0cbaf4b8b0257f2485b1fc15390aeed0bade998e5ea8e31a93ed9f6fdcb1c6df78702cd90068dcc74592fc49d9f00b8c0151ce5459e4425931c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA09.tmp.exe

Filesize
78KB

MD5
6caa23820702822caafde78bab86054a

SHA1
b1cc96edb049f3fa621df5132da44cd1296aa59e

SHA256
5eff6250318ca8967f3f1b5899c19bedffd0617a7a5f50bae69a1d806866b1b8

SHA512
f16bba2355175f8e0c98d24f04f5c7f6a61765f5e595a50e0ebd9bccd4a674b2331ccf0eca2d8c378a12231a3fe43e741922646f1471c377e7e946110abeb86c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc22535237829443E0B9D8A6CFD73083F2.TMP

Filesize
660B

MD5
b8588d9b82ad456ba85ec88ff02f488d

SHA1
ad2922a10f03c1c22427ad99632ebaa9c871bd3a

SHA256
d5e1451456c3a94886ea75936417c6f10b2a9def16589ea28568d6ef26796813

SHA512
f450366ac1ef1f942bcb439a9f00781a39edc93906713148878f17f8730a724f588d5be09e82bba574c1e778b52dc0cca498a4636c583fe5c7e230efadc64f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
097dd7d3902f824a3960ad33401b539f

SHA1
4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

SHA256
e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

SHA512
bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

Download Submit
memory/4960-25-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4960-31-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4960-30-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4960-29-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4960-28-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4960-23-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4960-27-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4960-24-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4996-1-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4996-22-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4996-0-0x00000000750E2000-0x00000000750E3000-memory.dmp

Filesize
4KB

Download
memory/4996-2-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/5036-18-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/5036-8-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads