metamorpherrat | 395fb8930edd7a8fe7d26546d4a6ec6a1b04dc80832751f48e834af97a00bf6f

General

Target

7f743bf03266282eddbe781afd0e49b0_JaffaCakes118.exe
Size

78KB
MD5

7f743bf03266282eddbe781afd0e49b0
SHA1

b875eb4fdde070effa1d6c548690cbf88e11b0df
SHA256

395fb8930edd7a8fe7d26546d4a6ec6a1b04dc80832751f48e834af97a00bf6f
SHA512

3b4f252d6f229e30b68bb2735c3ac57956b7417aba0ac235358ab6e17764f7637ff6825bda126128b1d380b33df34784036d932fb355ea2740e467695f6c570b
SSDEEP

1536:+5tdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC679/I112e:+54n7N041Qqhgz9/Ih

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7f743bf03266282eddbe781afd0e49b0_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2716	tmp6457.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp6457.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f743bf03266282eddbe781afd0e49b0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6457.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	7f743bf03266282eddbe781afd0e49b0_JaffaCakes118.exe
Token: SeDebugPrivilege	2716	tmp6457.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 3832	2340	7f743bf03266282eddbe781afd0e49b0_JaffaCakes118.exe	84
PID 2340 wrote to memory of 3832	2340	7f743bf03266282eddbe781afd0e49b0_JaffaCakes118.exe	84
PID 2340 wrote to memory of 3832	2340	7f743bf03266282eddbe781afd0e49b0_JaffaCakes118.exe	84
PID 3832 wrote to memory of 3520	3832	vbc.exe	86
PID 3832 wrote to memory of 3520	3832	vbc.exe	86
PID 3832 wrote to memory of 3520	3832	vbc.exe	86
PID 2340 wrote to memory of 2716	2340	7f743bf03266282eddbe781afd0e49b0_JaffaCakes118.exe	89
PID 2340 wrote to memory of 2716	2340	7f743bf03266282eddbe781afd0e49b0_JaffaCakes118.exe	89
PID 2340 wrote to memory of 2716	2340	7f743bf03266282eddbe781afd0e49b0_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\7f743bf03266282eddbe781afd0e49b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7f743bf03266282eddbe781afd0e49b0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ehwswlyo.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6542.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc57A774B381B499AB98AE937C2C78A63.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3520
- C:\Users\Admin\AppData\Local\Temp\tmp6457.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6457.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7f743bf03266282eddbe781afd0e49b0_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6542.tmp

Filesize
1KB

MD5
96734b91aeb6914a9a739bd7892edcf4

SHA1
0640a6b355bc92a52ba88292122c0ca3a973a151

SHA256
1a92a1afeb19b5805937e8eee168c63a09a1e67d3562bc3b58cafa01e1984c5c

SHA512
301f47f18e680a42d32817eeb24358431b26db0edea48472bdfb4d96b7fb350285bf07cc1e63e1d89b37dd0d4a7c8c8f74381da25f0ace2a603d25d37b1923d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehwswlyo.0.vb

Filesize
14KB

MD5
4bc42464363e149d7318268de18cbedf

SHA1
190e92bafa2810ad7c68ee85ebd921655f8fa098

SHA256
215957866a9424819f747132d8bb4fc15208a0480fb62c0428fbad3cd1f16e03

SHA512
1184d8d323ba1dd60e8ae0c4ae13c10a9c67a96d112215d3590d61daef23a7f3babb6712d6a52ac5009449511f378d7374e45d625ad9cd53284e62a90cafdf44

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehwswlyo.cmdline

Filesize
266B

MD5
0dc954ed207e0d9b9216e3180160d488

SHA1
009d77d47a98bbb7ffa0a87ca2d9d1de8f025ffb

SHA256
deba964a388c9d858604c906740a37bfbcdfa32ec283a7e7e56810c66172c427

SHA512
de8811fdf399ed3e4c60457949a2c25a5ec85347a376692f8574878030373bf2c75204e663ed222346330174ec6bebd7dd52d07cc0fd65e85360c36445af401b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6457.tmp.exe

Filesize
78KB

MD5
fc998d6ffd19ca7410daac37273ce6cf

SHA1
8b04fb1b08ce058be59e5699b0a7bd5a84cad1cb

SHA256
a141c6f385f29f0a43f8fcfc58de537de5c66950e6dbff712d60acaaf9db0b6b

SHA512
4443a362a26e38f7766715e367c5f605d9f524fd25f91126786616224344391aa1bbe100f16c42b708cce51a5c28763c2f51777c497203b8a015d347d0ba89d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc57A774B381B499AB98AE937C2C78A63.TMP

Filesize
660B

MD5
933f6aa8f83e5d07df4a85700439868b

SHA1
9c60da86e2f1f4836ca41061298abad527f327b0

SHA256
d05c9170a174c48bec91e8066302cfa4210d37afda0b633116db7e4354905afb

SHA512
8ded95cc6497e13e47db92c28cd2f5286dd60e78f35c2191dbcb87307da761f706af044960c8fa2fabce6deef7b43240bdd0a1b106968ee626cf7d3e6e26a3df

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2340-1-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/2340-2-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/2340-0-0x00000000752B2000-0x00000000752B3000-memory.dmp

Filesize
4KB

Download
memory/2340-22-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/2716-24-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/2716-23-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/2716-25-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/2716-27-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/2716-28-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/2716-29-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/3832-9-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download
memory/3832-18-0x00000000752B0000-0x0000000075861000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads