metamorpherrat | c190c36ae18f007b7bb7d75ce40184beeae22f8943a35ca6bc010f6398828c74

General

Target

7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe
Size

78KB
MD5

7cfcae244ac6874f2b32461bc5951211
SHA1

87cf097cd28d5ac97686d19a74553c22fc681e38
SHA256

c190c36ae18f007b7bb7d75ce40184beeae22f8943a35ca6bc010f6398828c74
SHA512

d54f70e2c23393729dc493f52465b73e2dbf9aa52ae28b9f6bfd3032d8a1140eabc5a116cd0f4cf91ad40069a80992b12741e77d8b0dc89e5b4208fc1612189b
SSDEEP

1536:6WtHHrdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLl9/n1yS:6WtHLdSE2EwR4uY41HyvYLl9/n

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4968	tmpB342.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpB342.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB342.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe
Token: SeDebugPrivilege	4968	tmpB342.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1980	2364	7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe	85
PID 2364 wrote to memory of 1980	2364	7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe	85
PID 2364 wrote to memory of 1980	2364	7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe	85
PID 1980 wrote to memory of 3040	1980	vbc.exe	87
PID 1980 wrote to memory of 3040	1980	vbc.exe	87
PID 1980 wrote to memory of 3040	1980	vbc.exe	87
PID 2364 wrote to memory of 4968	2364	7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe	88
PID 2364 wrote to memory of 4968	2364	7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe	88
PID 2364 wrote to memory of 4968	2364	7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5myapv4u.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB517.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc74977DFA9214CAEBC9235E7115E06E.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3040
- C:\Users\Admin\AppData\Local\Temp\tmpB342.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB342.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5myapv4u.0.vb

Filesize
15KB

MD5
2e74eff9575bf8a7fa40adc757ef4536

SHA1
0148042d2083ace1f37c4ed51711478932fb773c

SHA256
0c552bfee619cc093e6354d8f20e72e569a1b69acb3097a55c310aec46697e4b

SHA512
8d2081d239e2f3bf796cd7a84cf8ee775a2e6b6f460c37cf93348bede4a00ad066ec9e3044cc35974a1bec5847217ad3db44bee7623e2a461d34198cfb2330f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5myapv4u.cmdline

Filesize
266B

MD5
b1fb655f9c04d0e674828d1e2e15cfb9

SHA1
3c570c44e39cfd2126da9c6740b6868b2c45e12c

SHA256
c6fd5e7bde3839373300db363d7182b075b76c0170876aa2f852d9496792a118

SHA512
cf1d53f7694bb7435a44242e94c789ece7b4d967be41a898a8e0566a5d50110abf7a3f9af367e2e215bdd51cac151ce051c5707dcb3281c15bc71c80b46a1718

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB517.tmp

Filesize
1KB

MD5
768ee0f6ca69a06279aa461838996d69

SHA1
51f9ea11b0010ca9c6938770469f0e0feabf2764

SHA256
7b2de5054943294da3ca9ecdc2bd8c89a15c59a72135af27f29a8d7e9fd32490

SHA512
f3367656ac05dbf4d55dede30a53209405d37d03393a86a2e6a2e43661340275f05081f36ed7c1216b5df9ec4295d911d74d043e14a98a4f06466777dd6f1537

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB342.tmp.exe

Filesize
78KB

MD5
f417fe9867ecb11d9c15ccd30b3fc8d0

SHA1
cf9dfa8f5548c567bbba8b1f6fda44d79f3fc911

SHA256
14b8f73cf673fa94d134f19a36fbbf314a76dc9e7608fcc1f406724d21abe75c

SHA512
cfa65f870766ad0bf9203cfc89863fb3e17d74560458cd8a3182c8e635e1efa8b126d4f67674ad9a8fb1db4ae403e846cef3cf77d724ff88157f721e7f90ff46

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc74977DFA9214CAEBC9235E7115E06E.TMP

Filesize
660B

MD5
7af418d2697da9441e5783772aad7e6e

SHA1
09321705493fcd0a1e34a4f77edbbc6f7eb72dfe

SHA256
e2da4aeb08fb3e72d321cdea81362946f02de5a5717b812e66e4fa4879bf033e

SHA512
a30d0ad55483927d03ceb9a35fd50c5920c42ffdf296622bb6904a0eccbf8299318c4038f82097f67ed27277866ff8b26ae094f70aea605cfeb7dabb303d1e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1980-9-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/1980-18-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/2364-0-0x0000000075422000-0x0000000075423000-memory.dmp

Filesize
4KB

Download
memory/2364-2-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/2364-1-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/2364-23-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/4968-22-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/4968-24-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/4968-26-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/4968-27-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/4968-28-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads