metamorpherrat | 115879ea154db5c6ab8b85fd0cdc3e08a688f4294c505da81e5be63c372438cc

General

Target

954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe
Size

78KB
MD5

954eab95321ab04402ae0957a35f0001
SHA1

be3bfc17a07431bb4c6d65f18dcdcab9f27c6d86
SHA256

115879ea154db5c6ab8b85fd0cdc3e08a688f4294c505da81e5be63c372438cc
SHA512

a12ac5ab7f6c3456ab4de5d5b6fdf6f07e70f694865806dee2a2bd1ea6160113f5b713dc8f0a32beac51b6ea35e1cd3936064b48d7560e1bb48eaa980a16c76a
SSDEEP

1536:XPy5jfXT0XRhyRjVf3HaXOJR0zcEIvCZ1xjs9np/IPioYJbQtd6+9/m1Ma:XPy5j/SyRxvHF5vCbxwpI6WJ9/Q

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2344	tmpC68A.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2988	954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe
2988	954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\""	tmpC68A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC68A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe
Token: SeDebugPrivilege	2344	tmpC68A.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2188	2988	954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2188	2988	954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2188	2988	954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2188	2988	954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2400	2188	vbc.exe	32
PID 2188 wrote to memory of 2400	2188	vbc.exe	32
PID 2188 wrote to memory of 2400	2188	vbc.exe	32
PID 2188 wrote to memory of 2400	2188	vbc.exe	32
PID 2988 wrote to memory of 2344	2988	954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe	33
PID 2988 wrote to memory of 2344	2988	954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe	33
PID 2988 wrote to memory of 2344	2988	954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe	33
PID 2988 wrote to memory of 2344	2988	954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cb0a5k5t.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC801.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC7F1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2400
- C:\Users\Admin\AppData\Local\Temp\tmpC68A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC68A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\954eab95321ab04402ae0957a35f0001_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC801.tmp

Filesize
1KB

MD5
c79bf16942701c1b28aae1f619f5de27

SHA1
b24c57040b82606b9b04ffca6224be6e4b144cb9

SHA256
1d0f30228afb4c91a11ae7175defe1096225d487e9de838a601aceaba10e909a

SHA512
95abc8ce26fc91f78a5a9fb568da3e2f9e9b5d288b7b0172ad94c9f6ee70afa03d3c77a0151f4775e2573776a2408402fc4ce0f953d03424866b437ff4c05d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb0a5k5t.0.vb

Filesize
14KB

MD5
5c0d84d11eb7e5411835bf155283fb56

SHA1
000b83c75b9210ba82c811845a30fa913c2aee8f

SHA256
e5ec098455445047e19a4f811c93fd7e9fb7c291fe4dbbfe78e2cb013db0fb79

SHA512
1537712e19fc43fb65f6e18c0d18f93c51f63d50895c5fc5bf0eaac679c1f58fda15f0e17fc9bce40beaf32a1c08edd83dcd6f79f787e8e94ea41b54383bf81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb0a5k5t.cmdline

Filesize
266B

MD5
04947edf279bb65011339f0274b0bd10

SHA1
7fe9c9090bac17447440177ba948e7eba5640f09

SHA256
8e8a62d6ee63882df57bb4b44875bd791fa26f0300972d79c43ae5bb7debb802

SHA512
abf70abe7d7973b9fc979513e6b2dd75dedffafd3ad107cbd267d74073bf3876cf74104a121f7e24e5b17110d411be044364ce0a66505ac8a7390bba350f505c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC68A.tmp.exe

Filesize
78KB

MD5
c6898968c1bd4102e62871a1cc77e4d2

SHA1
d28577e0199bd6c42fdeeb530170000d5698127c

SHA256
5d55da8a26d683e19f3a8134ee16e2d1b63242faa48c54ad078270f30d24610b

SHA512
0027a214af767f942391d9158a1eb6ee97d32f876fa56bf298f3a19bc7bdbb8511f7f2e37781cc51f10a0bcde611d22b191f0307f80efe068ee185fb2144b6ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC7F1.tmp

Filesize
660B

MD5
e22c01db9f779d5df70158de75373daf

SHA1
8b47f63197ac0f84876a7f15a4470e96dd8a5292

SHA256
ba69cd47223fc8113f8e4c465d54cda0f44ef17bc58585df947ce7f41372d34d

SHA512
a4854b926885c383430f350f9cb03b8c7cb609d3332f53504eb5e97dff7853b246bcf627648f29701590cebf3fd36f371baa2735f307974e5774c58d74d04a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
097dd7d3902f824a3960ad33401b539f

SHA1
4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

SHA256
e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

SHA512
bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

Download Submit
memory/2188-8-0x0000000074B50000-0x00000000750FB000-memory.dmp

Filesize
5.7MB

Download
memory/2188-18-0x0000000074B50000-0x00000000750FB000-memory.dmp

Filesize
5.7MB

Download
memory/2988-0-0x0000000074B51000-0x0000000074B52000-memory.dmp

Filesize
4KB

Download
memory/2988-1-0x0000000074B50000-0x00000000750FB000-memory.dmp

Filesize
5.7MB

Download
memory/2988-2-0x0000000074B50000-0x00000000750FB000-memory.dmp

Filesize
5.7MB

Download
memory/2988-24-0x0000000074B50000-0x00000000750FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads