metamorpherrat | 14590972dbc8599f7b62f1daa97e2774187a85e42bc2058514b8503f260cf100

General

Target

a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe
Size

78KB
MD5

a488a793801843c4e5c4f20a0bdcee2f
SHA1

5204c05066abdc553d1e2283bf3ffd84bbdf3a62
SHA256

14590972dbc8599f7b62f1daa97e2774187a85e42bc2058514b8503f260cf100
SHA512

1e16de930d9b9132e9163a63816fc6ada851a3b95ec0e7fab0d54829682ecabb2174130ca4b216390cca7430f49b88689caffe032596f46c3603ba02a91914b4
SSDEEP

1536:QWV5xLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtt6T9/T154:QWV5JE2EwR4uY41HyvYc9/Y

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
908	tmp9C6E.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2128	a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe
2128	a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp9C6E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9C6E.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe
Token: SeDebugPrivilege	908	tmp9C6E.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2592	2128	a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2592	2128	a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2592	2128	a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2592	2128	a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe	30
PID 2592 wrote to memory of 2568	2592	vbc.exe	32
PID 2592 wrote to memory of 2568	2592	vbc.exe	32
PID 2592 wrote to memory of 2568	2592	vbc.exe	32
PID 2592 wrote to memory of 2568	2592	vbc.exe	32
PID 2128 wrote to memory of 908	2128	a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe	33
PID 2128 wrote to memory of 908	2128	a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe	33
PID 2128 wrote to memory of 908	2128	a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe	33
PID 2128 wrote to memory of 908	2128	a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w9knjpvg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D98.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D97.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2568
- C:\Users\Admin\AppData\Local\Temp\tmp9C6E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9C6E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a488a793801843c4e5c4f20a0bdcee2f_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9D98.tmp

Filesize
1KB

MD5
c604e7f8ca257b312e35a99243dc99de

SHA1
3db3ac8a4e55240cd46b06318bddae14c2e35aff

SHA256
169afb6d61de6a749fbdd0e3b4c0039c7da9810018b00fe3df74af7f5c352ec6

SHA512
d42c037ccd1006ecbc37438d87bfad4e82436bea4c282a566d074369c8d88590fc829bc5b716f509c15952e061ffd88ecb31e8f9447ca382425428984c1a5ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C6E.tmp.exe

Filesize
78KB

MD5
1da91aca2837ec87e51324cfd075cb6b

SHA1
b8bce4773e0b419f0303f63e025c9a4a79ea3797

SHA256
f4c2acb45cd578a559677638b7daf4ad138a728c94f76e7b8274f1dbee2c4bdc

SHA512
3ff3ac6db2e5b6277d848dc5ea5143790576299e28a6b34969d8dadc1af378e6c38503b9fc1ecffd0d436a844cbdd25fb0349f83662682c6bb4b2690c0fcdda4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9D97.tmp

Filesize
660B

MD5
78e07370510200d4e6165099ffabe6e2

SHA1
98496ad6c053eb43be36b26718757d967b2318dc

SHA256
270418825b1ef4c7f5344d11fc6175dc24157a1516e745f48013cee02e2a1785

SHA512
72b4c7a8bc029d8ee506c4c6bbd93c2fc20f56518b6e0806d4b1433ca47cff05c8c02a87e34c0dc75f9604893268639ee07b3af2ec1521bcb933ccbd2349683e

Download Submit
C:\Users\Admin\AppData\Local\Temp\w9knjpvg.0.vb

Filesize
14KB

MD5
65893e5df07aa82ad786cb70cabdb8f0

SHA1
2055eab903358bbd0c126032969d2702e2ea4f75

SHA256
2b9a4f79226faabc8d1ed9a13c025ab4dbcf62284b71266ea1e89bbf7961a9f4

SHA512
c2f21cd15bd0c008a06e03d8af5d6d286ad7c56048a9cd9c1cb2329032022284daf16d30625745568e7a85c9e520374d2e3b701978fdb02dbdf5ff0295c83280

Download Submit
C:\Users\Admin\AppData\Local\Temp\w9knjpvg.cmdline

Filesize
266B

MD5
079841f17b94a469977774fe42663048

SHA1
198afb0c288fea807b5c1c85d8d87ff248547dff

SHA256
3415b7af260b185d12eae85777c0f83f82f2ade7dabae5527c559a08bca03e74

SHA512
65ed0be26d63649f3f898cf5044be6f1e97ff109131210d56535a373683bb9f0071071ebef13224ee149d467fd86f21f321cbf64f018abf0bdff077f19475b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2128-0-0x0000000075001000-0x0000000075002000-memory.dmp

Filesize
4KB

Download
memory/2128-1-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/2128-2-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/2128-24-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/2592-8-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download
memory/2592-18-0x0000000075000000-0x00000000755AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads