metamorpherrat | 9b130f05c990d4db0ac3d873b1f5d53e06657db2adb18592019c60079ce826ef

General

Target

9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe
Size

78KB
MD5

9086750bfcb440650c84a14318bed8ec
SHA1

35f92ecf8be5cea46c8cef95432b3d851fc116db
SHA256

9b130f05c990d4db0ac3d873b1f5d53e06657db2adb18592019c60079ce826ef
SHA512

a8eb7b8c66c27de41106be7e6f194363b2d696b0f4f478db8d357573dc8e13105de5b4e336dbce75c5a683a2805f1ab30cfb29dddd53d5b0807eb7ea353497b2
SSDEEP

1536:xPWtHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtG9/H1os:xPWtHFoI3DJywQjDgTLopLwdCFJzG9/f

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
808	tmpB6FC.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB6FC.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4080	9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe
Token: SeDebugPrivilege	808	tmpB6FC.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 2392	4080	9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe	83
PID 4080 wrote to memory of 2392	4080	9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe	83
PID 4080 wrote to memory of 2392	4080	9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe	83
PID 2392 wrote to memory of 2868	2392	vbc.exe	85
PID 2392 wrote to memory of 2868	2392	vbc.exe	85
PID 2392 wrote to memory of 2868	2392	vbc.exe	85
PID 4080 wrote to memory of 808	4080	9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe	86
PID 4080 wrote to memory of 808	4080	9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe	86
PID 4080 wrote to memory of 808	4080	9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h5h6lc3y.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9A38A9BA54284C8AA396D472B136C7B0.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868
- C:\Users\Admin\AppData\Local\Temp\tmpB6FC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB6FC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9086750bfcb440650c84a14318bed8ec_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB8E0.tmp

Filesize
1KB

MD5
1a3d5288c4aacf3e335662d39eb879c3

SHA1
5edd1e8363cd31e7ac0a653ec12e45fce7d74b53

SHA256
d3880557446bc5fd806d3a453194aeb711314f2ea59b7347c1bb8359ddba0f92

SHA512
d22d9bff2eba6c187e5fc3a1c14ff64dcb3c287c22e32c4ae9371cb20d102d9d1a133c0a1526fc03824b1de31157c50726d250d98dc5e0d76acf62476434899f

Download Submit
C:\Users\Admin\AppData\Local\Temp\h5h6lc3y.0.vb

Filesize
15KB

MD5
f935f5e0306e55dfa48261448591c6c9

SHA1
73282991c35ea0496d09e68b9e3f1a8ea62c5c7e

SHA256
5acc4827bb1736694a2f2fb298ea5b955b05a012a273b2bfee32eed90b6e72b1

SHA512
77c7d46b370c2e1d2923fedcc685f24d6d330e8171336a82215da5b6f24bc7a1c0ed07d4e1dfdf65e3e5d9a59f2cae63dfb5b1a1bdfa0275d5dc264853e4b583

Download Submit
C:\Users\Admin\AppData\Local\Temp\h5h6lc3y.cmdline

Filesize
266B

MD5
bcef258e626139793cbb8d7cf8d8bbab

SHA1
4c37470d605a89a077fd5bc114e7a54e26b26c16

SHA256
5a2e200af26d4f1451933c1376f4d19cd05d15417b5b80d9c17d6a4071d439d0

SHA512
41a458c181f02553ed331c06cbfadb72aa49219fb1d36ddbc3ae2183ab4af88ae5a2a3942b72608a23251bd5980e93591eb56089c91962ea6505254f82359a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB6FC.tmp.exe

Filesize
78KB

MD5
fadb0ea53f1f386b635cd088af9ab323

SHA1
2328b74355a4bd23969a93411d86805932b94198

SHA256
7d447193e5486b9fb4d22b38d226587928d3680a1cf53683d8dec37152af6c5c

SHA512
c77f2ff0285069f43b3c365c1c15bb6e68c63e60c97af7f538eb34d631376e61ec01bcd7b4afa29c3809087b9e50ca3ce67180de59a19ac02b0a9a30bc5cb1bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9A38A9BA54284C8AA396D472B136C7B0.TMP

Filesize
660B

MD5
4ede5e8adcb44f2658858192e3bf1c88

SHA1
b244c9d5d8b8ada137f8f08c151f33c4b99c9b5b

SHA256
de10b813c9851e8090655d640b957c6aa6a95637dc42208803f82b77bf5d01ab

SHA512
7ac09e8bfd005cfcaed4e1f292c44713d9efc52ce98877c46a0fef8bee68bbd99c8e8acd1bfa1ff0441d9da638486906c8ee52f54640e5a5622b16d79d7b1cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/808-23-0x0000000075110000-0x00000000756C1000-memory.dmp

Filesize
5.7MB

Download
memory/808-24-0x0000000075110000-0x00000000756C1000-memory.dmp

Filesize
5.7MB

Download
memory/808-25-0x0000000075110000-0x00000000756C1000-memory.dmp

Filesize
5.7MB

Download
memory/808-26-0x0000000075110000-0x00000000756C1000-memory.dmp

Filesize
5.7MB

Download
memory/808-27-0x0000000075110000-0x00000000756C1000-memory.dmp

Filesize
5.7MB

Download
memory/2392-18-0x0000000075110000-0x00000000756C1000-memory.dmp

Filesize
5.7MB

Download
memory/2392-9-0x0000000075110000-0x00000000756C1000-memory.dmp

Filesize
5.7MB

Download
memory/4080-2-0x0000000075110000-0x00000000756C1000-memory.dmp

Filesize
5.7MB

Download
memory/4080-0-0x0000000075112000-0x0000000075113000-memory.dmp

Filesize
4KB

Download
memory/4080-1-0x0000000075110000-0x00000000756C1000-memory.dmp

Filesize
5.7MB

Download
memory/4080-22-0x0000000075110000-0x00000000756C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing