metamorpherrat | 9ce7322fb16fdc6a5f36681ee86f2e7921a37db56f4820f2f234d7404ece461b

General

Target

aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe
Size

78KB
MD5

aafb5fff965f689734311b601f60ccdc
SHA1

abd980f120d0648643f6e969ae496003f2d4ca6e
SHA256

9ce7322fb16fdc6a5f36681ee86f2e7921a37db56f4820f2f234d7404ece461b
SHA512

cc0a757890ddf38fa13566a0853b52b472662626dcbe33ef1978fc5f62d24934bdfc51c1af2e89a5898017bd544fdae6f70941b7e95b608f51200ba0b11c75c9
SSDEEP

1536:Py5jSmVdv5wyFppaVs+aYTCgtWzYXxxiMrBnP5oYZNQtC6th9/p1fg:Py5jSm/vqyA11XYUBxprBPjcT9/c

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
5032	tmp8FCC.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System.Management = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sbscmp20_mscorlib.exe\""	tmp8FCC.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8FCC.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe
Token: SeDebugPrivilege	5032	tmp8FCC.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 4280	2464	aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe	83
PID 2464 wrote to memory of 4280	2464	aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe	83
PID 2464 wrote to memory of 4280	2464	aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe	83
PID 4280 wrote to memory of 4992	4280	vbc.exe	85
PID 4280 wrote to memory of 4992	4280	vbc.exe	85
PID 4280 wrote to memory of 4992	4280	vbc.exe	85
PID 2464 wrote to memory of 5032	2464	aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe	86
PID 2464 wrote to memory of 5032	2464	aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe	86
PID 2464 wrote to memory of 5032	2464	aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ivt5flqy.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91D0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3EC12123BCD34071987B87F463CDBDCB.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4992
- C:\Users\Admin\AppData\Local\Temp\tmp8FCC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8FCC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\aafb5fff965f689734311b601f60ccdc_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES91D0.tmp

Filesize
1KB

MD5
e3f1d67218d789ed1b014b2b975b0a11

SHA1
fc4ad7243083f7adc1cb3f12eeb974c8a5f0f96a

SHA256
8cda0a4cd8be43eb95c8608fdfc78d4cab60c5eec5b01ce66cf1a764bf7b829c

SHA512
b0bf8366673613571984ff28dc4d979ba8f45a591197c35e4cc2893e3a416414d04a5553d5227c1119ad1fc8f991275564ab8fe59fa184a99c7918abb89005f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ivt5flqy.0.vb

Filesize
14KB

MD5
1d84f107f6eaea4814283477f1bb4a63

SHA1
a3afadc00e89862de773962b28998d460892c90c

SHA256
2d0286029f787270e92ceaa53c740b32f8ade1e09a6faa904e6c05107ef599be

SHA512
9e06048a65d7d8c853da69155ac1a126c2af83d19d275383676c4e3a0d803db00ef45541c182c9fc6dec87c838fc5672eb7bc7f23726aaca1947dd486f4897b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ivt5flqy.cmdline

Filesize
266B

MD5
7cc2c1e8d13c3cef54c3d3102da1ce16

SHA1
4d9a4c26631c923b57458d2bbf874022509d70c1

SHA256
2b0f088b5eb1251c7a196dff89206898e548dd54a5feab1ed01a53f8ec3c26ac

SHA512
4c4c209028c9d3681e9ee054d189c780dc852f1922bc94f3be451034922e0374fab41e35fe38dd82ecd24a714c9689168e825690d59e05b5a7b1fb973d35de99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8FCC.tmp.exe

Filesize
78KB

MD5
0eed4d85c247e8bfa70112ab8438fe0e

SHA1
9a9ac73e07632a1ab6a36ccf15b59cde307d4eaa

SHA256
36af656c9117f7d421dc5a87b8fe9213bc78f5a375676fb1ee5a2787f0b5f3d9

SHA512
66795805f056715af4f9651a55ad7a3475eb2303df7596f660f3c837eff7f045f5b8827557d5ae4df7b60ae9ccabfe379ea10808b00f6adbeac39312abc05867

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3EC12123BCD34071987B87F463CDBDCB.TMP

Filesize
660B

MD5
06a38e86bb6e5f3648c54abb3ff75f5d

SHA1
e83f17e4cedae90216dd71342e7181164ef0bd48

SHA256
adb53465a22b0fe0e47b9454ae3da1fd07efd3779095eca492ce7e47b78378f4

SHA512
774a90703f272a1884803d5286f6b6b0ca3c951d10e11a7ab4d2d9561b0170a0965276017a476018cec32f33b00ea3600697690f8848023dd7462e37fc5357ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8481b7e4924c14743ffc0d34075e2ce3

SHA1
e8e7ef480499ba85190b8d5f8e43f761850b0ef3

SHA256
6110931ed1cb1b1a141d4a12044a062646f14be3566a286106e5f59ceaddc4ac

SHA512
3c4ee8221c5238aed57e4fdbcd74833edcf46d5ed602840b5265438538405b4378a1966e9cd0c34a5ce52d0afe7bd7e0d9aac6b420e515fe1ea52477f957a7e1

Download Submit
memory/2464-0-0x00000000746B2000-0x00000000746B3000-memory.dmp

Filesize
4KB

Download
memory/2464-1-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/2464-2-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/2464-22-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/4280-9-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/4280-18-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/5032-23-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/5032-25-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/5032-26-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/5032-27-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads