metamorpherrat | 9ce7322fb16fdc6a5f36681ee86f2e7921a37db56f4820f2f234d7404ece461b

General

Target

aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe
Size

78KB
MD5

aafb5fff965f689734311b601f60ccdc
SHA1

abd980f120d0648643f6e969ae496003f2d4ca6e
SHA256

9ce7322fb16fdc6a5f36681ee86f2e7921a37db56f4820f2f234d7404ece461b
SHA512

cc0a757890ddf38fa13566a0853b52b472662626dcbe33ef1978fc5f62d24934bdfc51c1af2e89a5898017bd544fdae6f70941b7e95b608f51200ba0b11c75c9
SSDEEP

1536:Py5jSmVdv5wyFppaVs+aYTCgtWzYXxxiMrBnP5oYZNQtC6th9/p1fg:Py5jSm/vqyA11XYUBxprBPjcT9/c

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2676	tmpEBF4.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1904	aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe
1904	aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System.Management = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sbscmp20_mscorlib.exe\""	tmpEBF4.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEBF4.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1904	aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe
Token: SeDebugPrivilege	2676	tmpEBF4.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2792	1904	aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2792	1904	aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2792	1904	aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2792	1904	aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2772	2792	vbc.exe	33
PID 2792 wrote to memory of 2772	2792	vbc.exe	33
PID 2792 wrote to memory of 2772	2792	vbc.exe	33
PID 2792 wrote to memory of 2772	2792	vbc.exe	33
PID 1904 wrote to memory of 2676	1904	aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe	34
PID 1904 wrote to memory of 2676	1904	aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe	34
PID 1904 wrote to memory of 2676	1904	aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe	34
PID 1904 wrote to memory of 2676	1904	aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ko4efzzr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED1E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED1D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2772
- C:\Users\Admin\AppData\Local\Temp\tmpEBF4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpEBF4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESED1E.tmp

Filesize
1KB

MD5
d65aefcaa70945d8e78a4102b148052e

SHA1
d6def75c6c0a0e1598275f13b0216a6469c3529b

SHA256
e5c09a3119c24db2ca86d9c9e8fd78035080f3956c7373e8c86fc5458c5ff796

SHA512
135c359c3ab0328f00434056566cc8b585f7b7758b0df2bf81b8036126a79d57107cfa9935bb12b51a4b3d39749371c5e201db6ff55dea079948ea9d6a3708cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ko4efzzr.0.vb

Filesize
14KB

MD5
c8874664d13b0c667ada85214ffab206

SHA1
e9078be7bfe6a5b713816104659609b97a11da32

SHA256
fe4c9b9b87f89c9c22e3b69b96957c7c740c4cccba81848b7201ab6b1abb204b

SHA512
fdcd28c18ef0c4e42115e682a19193c1c329b4375df6f98b1905e5dc57533d53817ae96602622283255378e0713f18cab47e7fce25182cc6fe1f76f6429b67e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ko4efzzr.cmdline

Filesize
266B

MD5
939484a4ba657988ab785b57777ea1c8

SHA1
3c2f07d0ce4f0991388780182112be071e070079

SHA256
ab549aada6c615b0689be1b766759e0969b7c2de7156c4b0b6e04b1a561b7dac

SHA512
31b59be77a11fe9682ca31f30cce2853accb00235e443da3e194adfdb1c8b77dd25bbd2fb44984ae82c3504cf7e4c28bd45fc09ab3eca99ed3d6c402e79fe186

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEBF4.tmp.exe

Filesize
78KB

MD5
89d9fadf25f153d7837f8d13bee770cb

SHA1
4c6480ceda6030ed7d966b649b34e0c69ade1755

SHA256
fdba9715c1a2cf60f34119b0c15b7380c76e18d2c36329da615436ed75797663

SHA512
878b94cb35f64b2f738626d3262d1f0f48922b4fe897a51c6124246112883d34b5aa028376c3505dbcf5e9536bfdbcf4d0d8f91dd3ad113ad224c4174b3033dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcED1D.tmp

Filesize
660B

MD5
4666917000185bee543c1eec2b581d94

SHA1
d22aff8cfc0243c416b02416099ac8aadebcd619

SHA256
94e27a3492adfcef2615e4280a465ec824b5ee994b12896ef98e4a8909b42479

SHA512
f3055d2fad9c8f7ced0267d2ed765333421571d78862c4b6836eb460c30a135aa446749e5a6c4e6cf36aa6fe2317cc2cd419adee456f206d870a0d45b79864eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8481b7e4924c14743ffc0d34075e2ce3

SHA1
e8e7ef480499ba85190b8d5f8e43f761850b0ef3

SHA256
6110931ed1cb1b1a141d4a12044a062646f14be3566a286106e5f59ceaddc4ac

SHA512
3c4ee8221c5238aed57e4fdbcd74833edcf46d5ed602840b5265438538405b4378a1966e9cd0c34a5ce52d0afe7bd7e0d9aac6b420e515fe1ea52477f957a7e1

Download Submit
memory/1904-0-0x0000000074321000-0x0000000074322000-memory.dmp

Filesize
4KB

Download
memory/1904-1-0x0000000074320000-0x00000000748CB000-memory.dmp

Filesize
5.7MB

Download
memory/1904-2-0x0000000074320000-0x00000000748CB000-memory.dmp

Filesize
5.7MB

Download
memory/1904-24-0x0000000074320000-0x00000000748CB000-memory.dmp

Filesize
5.7MB

Download
memory/2792-8-0x0000000074320000-0x00000000748CB000-memory.dmp

Filesize
5.7MB

Download
memory/2792-18-0x0000000074320000-0x00000000748CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads