metamorpherrat | d9d24f8c1c5ff2fe02354051deaafde48edafea35070ad35e2c637e43ba85df6

General

Target

6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe
Size

78KB
MD5

6e9b6f144060ab2c990c7e690404af3c
SHA1

72bf0a100e8fe3a0456d451fe53b5a7da586d4fd
SHA256

d9d24f8c1c5ff2fe02354051deaafde48edafea35070ad35e2c637e43ba85df6
SHA512

24b57bc8285a7903a99793b9120e8a5ad29d8131e414f27fda56393c3e812e3b373e8bbfd67889cd2df4b75cf4c2db04e153ce5bc7addba0c234381fe4cb8110
SSDEEP

1536:6CHY6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtkH9/R10j:6CHY8dSE2EwR4uY41HyvYkH9/G

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
3004	tmpBE7F.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2076	6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe
2076	6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpBE7F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBE7F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe
Token: SeDebugPrivilege	3004	tmpBE7F.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2724	2076	6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2724	2076	6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2724	2076	6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2724	2076	6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2908	2724	vbc.exe	32
PID 2724 wrote to memory of 2908	2724	vbc.exe	32
PID 2724 wrote to memory of 2908	2724	vbc.exe	32
PID 2724 wrote to memory of 2908	2724	vbc.exe	32
PID 2076 wrote to memory of 3004	2076	6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe	33
PID 2076 wrote to memory of 3004	2076	6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe	33
PID 2076 wrote to memory of 3004	2076	6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe	33
PID 2076 wrote to memory of 3004	2076	6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\art7ktky.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC13E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC13D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2908
- C:\Users\Admin\AppData\Local\Temp\tmpBE7F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBE7F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC13E.tmp

Filesize
1KB

MD5
ae1570436b9442691d92c2d4b4e6c0be

SHA1
38cfad50b88cd740ad791fda982a0998f46a19c9

SHA256
0447ccc5f4abeb4260f973940e50313e00ca50e60198d63d41f14c6b16bf02ec

SHA512
314d3b2f8e5013a1b6803c20a2231811c2ca06658a97fe959100a009994390b81c1b6cb1aa3263b77beba9c2ca6088efa2a3cf9b68a8c09e877665d656581587

Download Submit
C:\Users\Admin\AppData\Local\Temp\art7ktky.0.vb

Filesize
15KB

MD5
f99e98c25688c89824e7af570de246d1

SHA1
6158203a2f60187933842d736c8936ce0981e490

SHA256
0b4fc1af494ac6a9b5622b4136baaf9db38119b4338d38f57920e6e3b356ccaa

SHA512
7f0d4e5de6f60c457b9b87870b4a3ac495648521d1c01361786869dca3610568e954102054dcb1b73e640803cd4b4be89e02706eeb804385c9d4e57a0c26931a

Download Submit
C:\Users\Admin\AppData\Local\Temp\art7ktky.cmdline

Filesize
266B

MD5
bdb3c1c1a6c95ab4b31698c5acd5aaa8

SHA1
f4b09b737bc2e2b223db5aa3e473311972e14714

SHA256
cdaae315e307d26c6d3f6f3bd387cab492c5eb5ea5b9166abb60c6251bf5ba0f

SHA512
b6abfa834b0c56d8e558227791e774675749aec721f2c7023ca1d2728c24618cd4617e87151528d977617209fadccf44e6a80f9f90afd4ba93418909f2de39c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBE7F.tmp.exe

Filesize
78KB

MD5
71d3b8dfa755c01590f7c9bd6b93596e

SHA1
9847a8b5c9f1bdd0f13dc54762ca51939c514147

SHA256
59bfd27525d6e5857203b682db367ba9c4c427901d8d43c67a34a446dbf15596

SHA512
8927a9848c77fdb4e03b032cd7349460b2002db69ca9fb96b60191175ccbc2849110f9b2024d7692ffa7f1cd010fae41cfe27f233e16fae8c02cdcaeafe29757

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC13D.tmp

Filesize
660B

MD5
bd5bf6d494665e2ddeafa10860609940

SHA1
f940f510ba654201dfc6e467b7ffbb9d84422437

SHA256
cd68a6cfb0157fb6a6079e2597c7d6e12a9346e510fdb5dca360f3c492612d7a

SHA512
4a85d8e1704fbdaa73ba125918c0a548bbfcdffaff8309210d926c311e360049dd4f43d05a145baf0a2a0edbb9b6be442da6950aa46ea6b78335cdf4af5cbc08

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2076-0-0x0000000074621000-0x0000000074622000-memory.dmp

Filesize
4KB

Download
memory/2076-1-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2076-2-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2076-24-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2724-8-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2724-18-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads