metamorpherrat | d9d24f8c1c5ff2fe02354051deaafde48edafea35070ad35e2c637e43ba85df6

General

Target

6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe
Size

78KB
MD5

6e9b6f144060ab2c990c7e690404af3c
SHA1

72bf0a100e8fe3a0456d451fe53b5a7da586d4fd
SHA256

d9d24f8c1c5ff2fe02354051deaafde48edafea35070ad35e2c637e43ba85df6
SHA512

24b57bc8285a7903a99793b9120e8a5ad29d8131e414f27fda56393c3e812e3b373e8bbfd67889cd2df4b75cf4c2db04e153ce5bc7addba0c234381fe4cb8110
SSDEEP

1536:6CHY6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtkH9/R10j:6CHY8dSE2EwR4uY41HyvYkH9/G

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4972	tmp9F3D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp9F3D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9F3D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe
Token: SeDebugPrivilege	4972	tmp9F3D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 4060	2796	6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe	84
PID 2796 wrote to memory of 4060	2796	6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe	84
PID 2796 wrote to memory of 4060	2796	6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe	84
PID 4060 wrote to memory of 800	4060	vbc.exe	88
PID 4060 wrote to memory of 800	4060	vbc.exe	88
PID 4060 wrote to memory of 800	4060	vbc.exe	88
PID 2796 wrote to memory of 4972	2796	6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe	89
PID 2796 wrote to memory of 4972	2796	6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe	89
PID 2796 wrote to memory of 4972	2796	6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uzxb0hcm.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0C4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE1724468E022437A8DC7241A6698384F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:800
- C:\Users\Admin\AppData\Local\Temp\tmp9F3D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9F3D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6e9b6f144060ab2c990c7e690404af3c_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA0C4.tmp

Filesize
1KB

MD5
a66e48ad397d39274d0a2f42aeaa9afd

SHA1
bb82d1a696fa9a05e5a58dbdeccec3f94166358d

SHA256
b49c4b7eb3cc2c0cc5a93ebbeec2f166cbcededc7116c07ad37ed7bdcde7ea85

SHA512
b437fa3aa8071abcda1e7293dd1ed8b4b68cd0e4d62b7e04dcd7d8fe2a8172e443c5fed1324524dd424d820f64c0bd86f527039a7570263c6956f0f12eb349f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9F3D.tmp.exe

Filesize
78KB

MD5
01a91faa804d6df6aa3429ffa156d565

SHA1
db7136dad30700b49b7ba051f2bbaecb9f930b4d

SHA256
d7f6182d352788fbb144a56407f9d943693220417d2b90b870928050d63b8148

SHA512
4fe96436b17d661f829ff3ee56e3870092b036f432f8b5431b40765ccfaf519f9b4ac3c7d3c281033176e814d9ffe50281f32ee2486269945f54d0c99d0ea0f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzxb0hcm.0.vb

Filesize
15KB

MD5
85a4cc8daa63ac979bf2ac1301513d8c

SHA1
8fdb8670437d880e7929fb828e69b7534be814db

SHA256
3568da1b69ef4a7053a20b877bf98561da3e9fb5a045833f55d717d28f4ee403

SHA512
5e743b9545dcab536968c808cd64d8aa4d5f0e41f302bc65572ad30723593594874418e8cbc3b79be341ecf54d63d7780fa78a7befdbbb4a61f630bec518097c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzxb0hcm.cmdline

Filesize
266B

MD5
5b68c42bb42d6fa55e3f1e62f8a52ea4

SHA1
7df3f4f28430a9b72bd89e86c1a02facd063f6d2

SHA256
e9b7c5b53965ef0608e46a9afe06f1c0e18089a027b0da73e88cc93a4ffc33c5

SHA512
7ae7fcfa0d391ef9cc64f1f636037797275ae6f2e3494b738e181734ba9c8eacb7a17e9444889618f3310df99bc8ce9ad9caf24381d573b8ea87c62020d277e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE1724468E022437A8DC7241A6698384F.TMP

Filesize
660B

MD5
ce9932a088d65e4486f58d42603fc746

SHA1
4f0482132d8139312e6eca1373df5466c29a29fa

SHA256
1b697fd00f6dbcf3588c3846d3666b74ca1b048c28cfaebd4623804bab9958d0

SHA512
1da82e309d719ebef3eb4718475dd5c0d56a42ffd2e51355d7f2dd284c2ba7d706ec4d1937808abf7c1883dde5a1d7b8ab45f83dee115ce8a21ff7dd65c6b703

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2796-1-0x0000000074FB0000-0x0000000075561000-memory.dmp

Filesize
5.7MB

Download
memory/2796-2-0x0000000074FB0000-0x0000000075561000-memory.dmp

Filesize
5.7MB

Download
memory/2796-0-0x0000000074FB2000-0x0000000074FB3000-memory.dmp

Filesize
4KB

Download
memory/2796-22-0x0000000074FB0000-0x0000000075561000-memory.dmp

Filesize
5.7MB

Download
memory/4060-9-0x0000000074FB0000-0x0000000075561000-memory.dmp

Filesize
5.7MB

Download
memory/4060-18-0x0000000074FB0000-0x0000000075561000-memory.dmp

Filesize
5.7MB

Download
memory/4972-23-0x0000000074FB0000-0x0000000075561000-memory.dmp

Filesize
5.7MB

Download
memory/4972-24-0x0000000074FB0000-0x0000000075561000-memory.dmp

Filesize
5.7MB

Download
memory/4972-25-0x0000000074FB0000-0x0000000075561000-memory.dmp

Filesize
5.7MB

Download
memory/4972-27-0x0000000074FB0000-0x0000000075561000-memory.dmp

Filesize
5.7MB

Download
memory/4972-28-0x0000000074FB0000-0x0000000075561000-memory.dmp

Filesize
5.7MB

Download
memory/4972-29-0x0000000074FB0000-0x0000000075561000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads