metamorpherrat | e45adb1bfff5105c3a9e78f551e3a04d59e147584beaa65aca43803e9710f386

General

Target

67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe
Size

78KB
MD5

67dd5acb7ae0086fb4621ed8a72eba96
SHA1

68ecf17551df7d9bf52ee41139341e8e8458a8fa
SHA256

e45adb1bfff5105c3a9e78f551e3a04d59e147584beaa65aca43803e9710f386
SHA512

995c2e189e0addc2e3f19dad6da97a65e231783293e22eda8c2e2dcbc37f70f842898c3e82b64cd26653d9f1b013a3bb6cd61c674c402aad66377b889a7bcee4
SSDEEP

1536:buHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQte09/B1cn:buHa3Ln7N041Qqhge09/G

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2980	tmpD0F5.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2096	67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe
2096	67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpD0F5.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD0F5.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe
Token: SeDebugPrivilege	2980	tmpD0F5.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 3052	2096	67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe	31
PID 2096 wrote to memory of 3052	2096	67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe	31
PID 2096 wrote to memory of 3052	2096	67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe	31
PID 2096 wrote to memory of 3052	2096	67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe	31
PID 3052 wrote to memory of 996	3052	vbc.exe	33
PID 3052 wrote to memory of 996	3052	vbc.exe	33
PID 3052 wrote to memory of 996	3052	vbc.exe	33
PID 3052 wrote to memory of 996	3052	vbc.exe	33
PID 2096 wrote to memory of 2980	2096	67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe	34
PID 2096 wrote to memory of 2980	2096	67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe	34
PID 2096 wrote to memory of 2980	2096	67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe	34
PID 2096 wrote to memory of 2980	2096	67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mjkcdfqg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD1B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD1B1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:996
- C:\Users\Admin\AppData\Local\Temp\tmpD0F5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD0F5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD1B2.tmp

Filesize
1KB

MD5
c604e99b4ef666ff677972c487c3bcaa

SHA1
8bbf0b7f61b5747c287026df07b536ce25ccb0b2

SHA256
ef735cc00300796eb2c8fea1a08022891b0715f590e309aad2fed8673743fb97

SHA512
bfc4a60f249253fafe2002e08dc3808c936554c8e64d70115b87de26f913f1d65790ea3777cc301a31ba323c517d84df47e3b29eafb20dace3c3f780355b9df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjkcdfqg.0.vb

Filesize
15KB

MD5
c8e255e1240a39c26d146d000e8f506a

SHA1
b28cba99ad5b2d6c75d6e69ec03b41f47cab3da8

SHA256
ec5cc79dde6394092c3bccfaaea7b13bd8c31566d6ccef46fa49e89f420dc74b

SHA512
8be3c1c083eb7cfab696e1fd1bc9f6f9e10a4f02da2334b8bbc67b308b58faf43bb0eda9c067d5adcc994a333289187eca8a0ae75f6730732bcf5ad33d8b190b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjkcdfqg.cmdline

Filesize
266B

MD5
90e013cd7ab97382174586e71e841370

SHA1
2bb25d195b376293c409f199537515664b0017e8

SHA256
a0324affc37b40eba0b1fffb5df245464f9aba68fd28b1c0b30cf2570ae24a5b

SHA512
d3d8be6ba593f7e7d150e325dcb28cd6b9575d8469241e4cd14b10aa41265a47901ffe0543aaa4b1d2a0e283f3d9a15e556e3b4a62d529726d5f26609100dc45

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD0F5.tmp.exe

Filesize
78KB

MD5
81c80e8951b9c101faf3e94c168234f4

SHA1
06f2b2f0ec1f83bbd3aba2483f186d9ec719f047

SHA256
8706a82b244027a4a718ab67f36af9e6e666059f8e60cc2cb7b4854479d6d79e

SHA512
fcdbd2e15267579f3c1627bad720d124ae150fa9d4a5103950ebb1b4ea8bb3648fdc5887a8eb48d31d11af24393200d1d36f616f8bb35d24dc0eb7484d56c1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD1B1.tmp

Filesize
660B

MD5
d002ca595762fd179c521eb6f52b9898

SHA1
f2a428e5f0f57e74593b97c7396993714e210282

SHA256
16cee14a6d8793938804faf6ea1cd7e4bb2e521f2f1bb44fc1476d20f83a059e

SHA512
8023aa9b9105bb8db0d668a2d49f92ec3cc7f1ae123021dba91d40a7d9025d7f3aff35279dd3eea7073b3bbc658534dc7bd5ade7f31227622aa4252a5deab7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2096-0-0x0000000074F91000-0x0000000074F92000-memory.dmp

Filesize
4KB

Download
memory/2096-1-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download
memory/2096-2-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download
memory/2096-24-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download
memory/3052-9-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download
memory/3052-18-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads