metamorpherrat | 253b7724d4ffc202f44f17e9e5b0a6dc210ac5cf925e03a1aa0a0cefbe8e9b2d

General

Target

49d03048e717add17d2229db85edfb00_JaffaCakes118.exe
Size

78KB
MD5

49d03048e717add17d2229db85edfb00
SHA1

5a21fbd0696daee13e740fcbce316e3eab251e27
SHA256

253b7724d4ffc202f44f17e9e5b0a6dc210ac5cf925e03a1aa0a0cefbe8e9b2d
SHA512

5eb33d968c505fc771080d2b2e921f2b753f245128b3d93e406310d1901a2765820475907a5d5296ba62acc187a7abb963aee797ffcb32e5052ffc1e58814b99
SSDEEP

1536:6sHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtw9/Jm1p7:6sHYn3xSyRxvY3md+dWWZyw9/w

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2712	tmpC284.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2500	49d03048e717add17d2229db85edfb00_JaffaCakes118.exe
2500	49d03048e717add17d2229db85edfb00_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpC284.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49d03048e717add17d2229db85edfb00_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC284.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	49d03048e717add17d2229db85edfb00_JaffaCakes118.exe
Token: SeDebugPrivilege	2712	tmpC284.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2464	2500	49d03048e717add17d2229db85edfb00_JaffaCakes118.exe	30
PID 2500 wrote to memory of 2464	2500	49d03048e717add17d2229db85edfb00_JaffaCakes118.exe	30
PID 2500 wrote to memory of 2464	2500	49d03048e717add17d2229db85edfb00_JaffaCakes118.exe	30
PID 2500 wrote to memory of 2464	2500	49d03048e717add17d2229db85edfb00_JaffaCakes118.exe	30
PID 2464 wrote to memory of 2044	2464	vbc.exe	32
PID 2464 wrote to memory of 2044	2464	vbc.exe	32
PID 2464 wrote to memory of 2044	2464	vbc.exe	32
PID 2464 wrote to memory of 2044	2464	vbc.exe	32
PID 2500 wrote to memory of 2712	2500	49d03048e717add17d2229db85edfb00_JaffaCakes118.exe	33
PID 2500 wrote to memory of 2712	2500	49d03048e717add17d2229db85edfb00_JaffaCakes118.exe	33
PID 2500 wrote to memory of 2712	2500	49d03048e717add17d2229db85edfb00_JaffaCakes118.exe	33
PID 2500 wrote to memory of 2712	2500	49d03048e717add17d2229db85edfb00_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\49d03048e717add17d2229db85edfb00_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\49d03048e717add17d2229db85edfb00_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e5osqiyg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC321.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC320.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2044
- C:\Users\Admin\AppData\Local\Temp\tmpC284.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC284.tmp.exe" C:\Users\Admin\AppData\Local\Temp\49d03048e717add17d2229db85edfb00_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC321.tmp

Filesize
1KB

MD5
1be65a8ab45c98b319e689ce8c4c24fa

SHA1
c1462cfa8a61a3e2855887b2109c0f7a5bc581ef

SHA256
4b2a4b403a3108c9583dd1022e7526f4a1f15bc3a0461be70f60700ca8f6235a

SHA512
c55acb988da23c51cda33ecdb2cdc0bf8d67df3bbb89f53828a1dbc233523067539888147670bb01b1cff8f8d76d3a3573e29866d63a61d046fdc3b7e14f2d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5osqiyg.0.vb

Filesize
15KB

MD5
bdaa90b1a7cf74d3b20db3f25cd3fcc6

SHA1
eac88a14040081fd18a7684185ccd9f074ebe501

SHA256
0c77375a1b5bf598328a62a587af26338431c021582f8b6761e918e838b274c2

SHA512
6a9c73faafef11e9da29ea29d478e7aea35bb841c27ea4be39872a8303d3198419610153d8d0e9df237a01fe0a5b9cf9800f4881d53158b27bc57d5461b348ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5osqiyg.cmdline

Filesize
266B

MD5
cfb3bca61141582899cbed0914957904

SHA1
7c4e3e3a454239ea02da2d76fd54c31a39dc6665

SHA256
b45a931c7b336167013da5fb564595345343216867dea79e079a9e09126ef00f

SHA512
8b3aceabf587cfce9150fc6df26b7d82348917f6aed67538a54d31082d051e7b72d38b08ed52fab6144352fe30f4040b08743330447ec5e747f2a74d6568afd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC284.tmp.exe

Filesize
78KB

MD5
12ce36a2cf44b23141ab37773ae0fbca

SHA1
f61bc8bb85d737033f28eae2cea16003bb31afb3

SHA256
ed211628d1a74b1d03df4dd5c956904c21773cf83eef72a969d12c504f66ad6f

SHA512
c2cf627f43c60f1471df5f6f4b2c0758fa20e87f6ab1ebdbc37ce78e90dce088cc141f462558f72580103fd0bbadc9aa420819b6b43f95219ba85060c7b6b433

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC320.tmp

Filesize
660B

MD5
9c3ac29eae6af1a586731edd9baab894

SHA1
398459ce53eef68a8b87c1ae3a7beb2688309951

SHA256
82cb8d0855e20a21d5dbc6889908884f4529ddbb21e9b795687b728283692b9d

SHA512
42cd2dcd5e1212d3db3c7e42bb13d550133a870530b98f7c7c5ad7be583bcf726b5b9e8b00ac758913e4978b374756862eea4bc26aa8bbeb1e57d24744e6a4e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2464-8-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2464-18-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2500-0-0x0000000074E71000-0x0000000074E72000-memory.dmp

Filesize
4KB

Download
memory/2500-1-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2500-2-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2500-24-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads