metamorpherrat | 932996b9f2e21e80a396b4b6b0f1fc96bfdc0a97aabc15756d96e156a28302e6

General

Target

76c869916d576be8d79cc8f3e189889c_JaffaCakes118.exe
Size

78KB
MD5

76c869916d576be8d79cc8f3e189889c
SHA1

d4f03bd6d56045c45d4c29f21d78c9c52ac9b515
SHA256

932996b9f2e21e80a396b4b6b0f1fc96bfdc0a97aabc15756d96e156a28302e6
SHA512

0bc2f606e1ad2d24cb09868017f3af6896cb7737bbb98b57e12f568addd05c939b79ee44e6043144c836a9fba9d1c3295a62f72b2f02603667df6368de08e4d7
SSDEEP

1536:7Py58Vdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6F9/CL1D1:7Py58An7N041QqhgN9/K

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	76c869916d576be8d79cc8f3e189889c_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4308	tmp7EE4.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp7EE4.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76c869916d576be8d79cc8f3e189889c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7EE4.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3128	76c869916d576be8d79cc8f3e189889c_JaffaCakes118.exe
Token: SeDebugPrivilege	4308	tmp7EE4.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 2316	3128	76c869916d576be8d79cc8f3e189889c_JaffaCakes118.exe	84
PID 3128 wrote to memory of 2316	3128	76c869916d576be8d79cc8f3e189889c_JaffaCakes118.exe	84
PID 3128 wrote to memory of 2316	3128	76c869916d576be8d79cc8f3e189889c_JaffaCakes118.exe	84
PID 2316 wrote to memory of 4008	2316	vbc.exe	87
PID 2316 wrote to memory of 4008	2316	vbc.exe	87
PID 2316 wrote to memory of 4008	2316	vbc.exe	87
PID 3128 wrote to memory of 4308	3128	76c869916d576be8d79cc8f3e189889c_JaffaCakes118.exe	90
PID 3128 wrote to memory of 4308	3128	76c869916d576be8d79cc8f3e189889c_JaffaCakes118.exe	90
PID 3128 wrote to memory of 4308	3128	76c869916d576be8d79cc8f3e189889c_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\76c869916d576be8d79cc8f3e189889c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76c869916d576be8d79cc8f3e189889c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wvtc6djh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES800D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc738EDECF61E446A698E65590FC3DDAA5.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4008
- C:\Users\Admin\AppData\Local\Temp\tmp7EE4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7EE4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\76c869916d576be8d79cc8f3e189889c_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES800D.tmp

Filesize
1KB

MD5
f7a717e261fa949d0fb403d1962fb808

SHA1
c4551896d5eab9af4a24eed934ae1484beec1cb9

SHA256
0ad6aca63153a19130b69afe7ec7bada49851b37a6629fadf4d909403ed697d3

SHA512
5bf4799a1991d9c39454c98903a16e580b0d6733e87526861e40fe11de3e2f6bb0597ecaae7fc4c543c8529236866e1699a908ce5ab013b11e5d8f6d57c99747

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7EE4.tmp.exe

Filesize
78KB

MD5
6f624aa6210eace6c562b4843ec05ad1

SHA1
530936ed137610afd040cc26af7d23d7273a29c6

SHA256
8c7001d175f7609fe5820928c578933960dc2193e2da0574a7d34810e4fff2f6

SHA512
d970475ee18a028c66fad709bdc8ec9ba14cae627ff708064f6736b4e09f3da0b6dd259fa39ba21454d15a49dac998dca762c69f7dc2829192a979236c3a77c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc738EDECF61E446A698E65590FC3DDAA5.TMP

Filesize
660B

MD5
d9a343889bbb63ddaee08fa075b63b35

SHA1
abd898d3695955b052bfdc591e3451a8db3144fa

SHA256
790d6338237c6a3eb6660e62d8ae80387f446793ba1a3d7f4fdb3973c6e515c8

SHA512
a3eb129c72987860ae5f816dd6232c6519f114c42d82f5af1a55f5945268deb2646ba591c7da9e949d20dc0aeaf7cd2f05a3099a79ce9e0189336d473c26bbb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvtc6djh.0.vb

Filesize
14KB

MD5
37271e0b1f5bfcc252660947e9e1e87f

SHA1
5556a0f2258dd991f07812a5d2480681013f03e7

SHA256
84ed553ebc645aa72e83167fb83ddaa2a57a66b524f8f93c3f588a9283588275

SHA512
4e8816f667a77c3aad31f0f27a1ede83b25329f17e921ba1c80139ccd1934d54f44bdc588fbd37c0e40c21df8df318fe38b585feeea33f3c9f55d2e02613e178

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvtc6djh.cmdline

Filesize
266B

MD5
27bcafd1eb689e93baafe65e00fbb063

SHA1
c594835151a82604ebcbd6ccf836a2c555574de0

SHA256
aabf3f3c75488f4502820bc3259a11afca0ec9ec5d6f79b6c683eb6f4c18806a

SHA512
52a55e0d786d6e893fb2b4f99a856ac55075921ad0c7038411c906cfaa9d839e1c57d409e8b5cea668fc9ca9bb299e0e59f4606542957f75787e9750ae50ea1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2316-18-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/2316-9-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/3128-2-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/3128-1-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/3128-0-0x0000000074DE2000-0x0000000074DE3000-memory.dmp

Filesize
4KB

Download
memory/3128-22-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/4308-23-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/4308-24-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/4308-26-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/4308-27-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/4308-28-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads