metamorpherrat | 468024aed17f32d77ea008e438962a17808683728da5dfc2418985a0d487cbd3

General

Target

aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe
Size

78KB
MD5

aaed7416e90a9e7cc08334487a15e1b6
SHA1

412492bd959935e04c4fb9d4830ee32015547c60
SHA256

468024aed17f32d77ea008e438962a17808683728da5dfc2418985a0d487cbd3
SHA512

f45a820c7e95d54cf41ae5757370245a5d8b329a3d5fcdc13c3bcdd57a24eaf39a4bb86c16a50205bce930603ac3fd1c3ac6e2d033624c73f38810aba5529142
SSDEEP

1536:TCHY6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtV9/Q1hZ:TCHY8dSE2EwR4uY41HyvYV9/q

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2836	tmp37B3.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1456	aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe
1456	aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp37B3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp37B3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1456	aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe
Token: SeDebugPrivilege	2836	tmp37B3.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1556	1456	aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe	29
PID 1456 wrote to memory of 1556	1456	aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe	29
PID 1456 wrote to memory of 1556	1456	aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe	29
PID 1456 wrote to memory of 1556	1456	aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe	29
PID 1556 wrote to memory of 2728	1556	vbc.exe	31
PID 1556 wrote to memory of 2728	1556	vbc.exe	31
PID 1556 wrote to memory of 2728	1556	vbc.exe	31
PID 1556 wrote to memory of 2728	1556	vbc.exe	31
PID 1456 wrote to memory of 2836	1456	aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe	32
PID 1456 wrote to memory of 2836	1456	aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe	32
PID 1456 wrote to memory of 2836	1456	aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe	32
PID 1456 wrote to memory of 2836	1456	aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nc6mvule.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES389E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc389D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728
- C:\Users\Admin\AppData\Local\Temp\tmp37B3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp37B3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES389E.tmp

Filesize
1KB

MD5
8c4d77a87f04e71d159b2e4e1febefb9

SHA1
2630cc54cc415ff805178ed6203a984d7b0ac579

SHA256
6105e0e614217609ef28a08235da7fe0348fa648bfaa9da508c1140d7a10af48

SHA512
3cf0079cc455988db1daf087b1d71b68ce6039aeb2e01693a4abb1b60d4168ff87251d6af27bb29ed44d6ccd0588e7e34bc8d86e1a98539090d658af4b325fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nc6mvule.0.vb

Filesize
15KB

MD5
631c164984522dedb72edd291fb84a39

SHA1
e2531d4849c23cda9e4c66d459dd9fece0fa4041

SHA256
41b500a83e7ab4b62b3142087124a9454d52b93dc6b184f0121c878dea515810

SHA512
a147fdbebc431cb7a6d154f7ce60c085764300909a2cdab6a01407530f8e6a41ce1b662318fd2ba4f56afcc72a116605752eec084261e4f191c0e4abbd2daba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nc6mvule.cmdline

Filesize
266B

MD5
4678ca0f84c8ef3776901b6353282e5c

SHA1
08f8c46d39d5056fd8ba04e1a428a8e995686b51

SHA256
7575e51f63d7c5708349affbe928b5039664be62776ee9a7654ccb32ee6a2074

SHA512
314c4341c0f3bb5242fb3cffbc81f74446bb6ebc43f4eccf4427211d8c24e63be6389349e9e31c2985bf9a397bced8525ac191ad75dd5828ceca72f6bc99ad82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp37B3.tmp.exe

Filesize
78KB

MD5
26f3f0860a05a3470eb56d2e947b180c

SHA1
a8a9f9dc26ab344ab591613933d9ca5478b6cae7

SHA256
6a3dfc1dfdbd0603ce1e31f3b4a119356addd7b3f8a80f37e6fbb2af888e728d

SHA512
1d2534f64abfb8d8f3b9da2d90d4d4bc1f7356400595977a85c34c45a2ba571b4b2484ce6aed4a086a1ee9a7dab85c354502c0f63ad48cd68e240a5d207e09d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc389D.tmp

Filesize
660B

MD5
e3e0a810c30f39ec01e74377c92d21e5

SHA1
0f3bcde184029e339817e265f2300f19bc22e503

SHA256
1c92c26c54ed3a7f8978cd97a625252b27bd15c0a9c305a61b580769a37df09e

SHA512
7abf3e3eda7e4c91ba208cbd73c4947a11961866a263d054798e2de30211fb8f970101fad3239507cbbe94d3ef2843edd9f66efa31679571bf1151b505c19334

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1456-0-0x00000000746A1000-0x00000000746A2000-memory.dmp

Filesize
4KB

Download
memory/1456-2-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/1456-1-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/1456-24-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/1556-8-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/1556-18-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads