metamorpherrat | e45adb1bfff5105c3a9e78f551e3a04d59e147584beaa65aca43803e9710f386

General

Target

67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe
Size

78KB
MD5

67dd5acb7ae0086fb4621ed8a72eba96
SHA1

68ecf17551df7d9bf52ee41139341e8e8458a8fa
SHA256

e45adb1bfff5105c3a9e78f551e3a04d59e147584beaa65aca43803e9710f386
SHA512

995c2e189e0addc2e3f19dad6da97a65e231783293e22eda8c2e2dcbc37f70f842898c3e82b64cd26653d9f1b013a3bb6cd61c674c402aad66377b889a7bcee4
SSDEEP

1536:buHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQte09/B1cn:buHa3Ln7N041Qqhge09/G

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
3960	tmp83D6.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3960	tmp83D6.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp83D6.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp83D6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3476	67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe
Token: SeDebugPrivilege	3960	tmp83D6.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 2172	3476	67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe	85
PID 3476 wrote to memory of 2172	3476	67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe	85
PID 3476 wrote to memory of 2172	3476	67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe	85
PID 2172 wrote to memory of 1188	2172	vbc.exe	88
PID 2172 wrote to memory of 1188	2172	vbc.exe	88
PID 2172 wrote to memory of 1188	2172	vbc.exe	88
PID 3476 wrote to memory of 3960	3476	67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe	91
PID 3476 wrote to memory of 3960	3476	67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe	91
PID 3476 wrote to memory of 3960	3476	67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l5ezr0ck.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8647.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc43071058E7F44D98A6A464393B43B9DD.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1188
- C:\Users\Admin\AppData\Local\Temp\tmp83D6.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp83D6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\67dd5acb7ae0086fb4621ed8a72eba96_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8647.tmp

Filesize
1KB

MD5
48c44c24cb825b5425d317bc643e0e3d

SHA1
ecdbf2469d07edec7921257c3493b46c29f1a0af

SHA256
1d1f77aad4fcfd509e0373e8e5be41a05fdc3625b9ecfa2517d95e19897b2a16

SHA512
62630dcda8399ebe3633f910a5c883224696c6ba6044c69bb81559ff60a81e98feb2ad424004906b11c19f26ccfaf2b47a47fb7e9e87d2edb38e76518103be53

Download Submit
C:\Users\Admin\AppData\Local\Temp\l5ezr0ck.0.vb

Filesize
15KB

MD5
f5889899165f1faab933e2084e507d02

SHA1
2589ac6d91f6e5258698a9c2b0d95f34e03181ab

SHA256
604adeeba207d62ef1474de42063b0f3f75d5dafe55c623b23460256ca222160

SHA512
9df8de6b99873b273c120ac2f8384456bc538f031ede2f1195c0428c01a376589f310630e94eb18795b15bc82ac8d216b5e5ca73457320e9c4ef3af1f7799882

Download Submit
C:\Users\Admin\AppData\Local\Temp\l5ezr0ck.cmdline

Filesize
266B

MD5
59c5de56037ade0acc0099c211ccf3a8

SHA1
69a9e1aa0d7fd42d402051cdd95b9c9a031a0887

SHA256
96e9e5a5fe42460bdb1ee85320d368f5c8212d612d3227bd299e15c93fdb181b

SHA512
9ab6f89ff9ab620fcc4fb236acdabaed6871c5e214eba6f7f1386a2e0e319d60f92b8edec392a2591a1c75ef6a5f1b0a0e52799f1b7c0c86058cb3833c82af4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp83D6.tmp.exe

Filesize
78KB

MD5
b3243a4bfa5fee45ad5f9b7f49542ea9

SHA1
239ace592a56fe8d55395c735b16dfe316df0a33

SHA256
692a24bfc67ae877f3a09406ac30c5f00a19be17518930def4260198940d844c

SHA512
e6333fed999bbd82063d09838d9f5851234cd98141356e6ff0dd69d5aa7762bcdcf8d04d583105cc75f2d67f3d825fe0207c88ce08c6d605381c95fc146492ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc43071058E7F44D98A6A464393B43B9DD.TMP

Filesize
660B

MD5
e2f14df390b49941224d9239028dde8b

SHA1
5d2d2581a7d5fc0cc276b67ac1fbe6c3c8c20e17

SHA256
ffc44bcd0231c50eb0f93666abe330c1f77a8689cc3637a63d30fe631efb9477

SHA512
8c19c2a170a4178d73e6080d72fd2a6a94c63f95786284fd43fb7f3033cc27021d543e47253a18d491fa5b1c00014fca3c4273e88a09909e32026a595bd7bfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2172-18-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/2172-9-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/3476-2-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/3476-1-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/3476-0-0x0000000074FC2000-0x0000000074FC3000-memory.dmp

Filesize
4KB

Download
memory/3476-22-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/3960-23-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/3960-25-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/3960-26-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/3960-27-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads