metamorpherrat | 468024aed17f32d77ea008e438962a17808683728da5dfc2418985a0d487cbd3

General

Target

aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe
Size

78KB
MD5

aaed7416e90a9e7cc08334487a15e1b6
SHA1

412492bd959935e04c4fb9d4830ee32015547c60
SHA256

468024aed17f32d77ea008e438962a17808683728da5dfc2418985a0d487cbd3
SHA512

f45a820c7e95d54cf41ae5757370245a5d8b329a3d5fcdc13c3bcdd57a24eaf39a4bb86c16a50205bce930603ac3fd1c3ac6e2d033624c73f38810aba5529142
SSDEEP

1536:TCHY6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtV9/Q1hZ:TCHY8dSE2EwR4uY41HyvYV9/q

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1536	tmpF7DD.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpF7DD.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF7DD.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3344	aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe
Token: SeDebugPrivilege	1536	tmpF7DD.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 4768	3344	aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe	83
PID 3344 wrote to memory of 4768	3344	aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe	83
PID 3344 wrote to memory of 4768	3344	aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe	83
PID 4768 wrote to memory of 4436	4768	vbc.exe	85
PID 4768 wrote to memory of 4436	4768	vbc.exe	85
PID 4768 wrote to memory of 4436	4768	vbc.exe	85
PID 3344 wrote to memory of 1536	3344	aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe	86
PID 3344 wrote to memory of 1536	3344	aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe	86
PID 3344 wrote to memory of 1536	3344	aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hquto6gv.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF944.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF8FB1CEC26F441AA8232904D38C47EC2.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4436
- C:\Users\Admin\AppData\Local\Temp\tmpF7DD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF7DD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\aaed7416e90a9e7cc08334487a15e1b6_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF944.tmp

Filesize
1KB

MD5
1658fd534868ce10ba4f92c588a83ede

SHA1
3d9c675378ec138db9176e38fbda7d05059e0c5b

SHA256
01a01fddbac8ab8bc81a414dda4b0ee08e94b07d44214c1e480fa4ba9e211047

SHA512
f6ed6dbcb0a730323dd7b51419c705345507fcf101df7b3ab6c12e2112d0fe62c84a386abb8efc36ec47eca6cbc4574da552cbf15a64832a294578b9533bf6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hquto6gv.0.vb

Filesize
15KB

MD5
550d270d275b847c0b71c2e3356014e9

SHA1
0b591440522e021ad5307ffce60d730738428a90

SHA256
ef14fa1752621e356bbf395ccda4bf3caaf58c0c661117d3d20cb2a1c8328a14

SHA512
f7cae9660f67e0fa4fee7f8c23fcdcd01745ebee04957fd227195400929f821c052c3440998328db7e958c405ccc768e1f9998204c1bd8dbf3c1370ad3b77987

Download Submit
C:\Users\Admin\AppData\Local\Temp\hquto6gv.cmdline

Filesize
266B

MD5
b188edb88ff48935c5038aa4560103d8

SHA1
74dc89ff4c77ee0e31a5353443b7483fe82d6d00

SHA256
73c4cb0bba1da796ba9683ff1bddc4d7c33c8b3254cac8ae1c0ab1994c54e679

SHA512
608e0b9df3180e6b83013fc76502e6dc890c914fc02747f39762346297b702bd40ac8f1c1951bd8b92ca7f88d6f362087ea00be78b35dedab6f38bfe7e91722c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF7DD.tmp.exe

Filesize
78KB

MD5
7fc0a46fe65c34b1d8efcf240028d47a

SHA1
f3d5b7da5726c61d01ebccad2d92a1849f59c9ed

SHA256
c0529e48f9495f16b0139c248d86a6eb2d0cb437cc56ce7b0f6dbb5992555cde

SHA512
e562f1acc7643d7f3faf74cdc05253c2a6566e81c05361ef4268d4fd0937f0004bdd549db8f3079010153239327ef2eedbfd02901e9d0e52f6655ccb1484cca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF8FB1CEC26F441AA8232904D38C47EC2.TMP

Filesize
660B

MD5
828f79fda387bcc5711e57cccd84d7e0

SHA1
99903ed34144542944cd2d0eaf1dc1b4f6f589f6

SHA256
bb75ad5c91b1a45953dbdf9452716fc0280c176066c0269ee000ef42cc2c08b6

SHA512
54771898606e3a8734defae00c1c92a102e21ad34c602e38b83b5bae1dd0fb699a302607853182698a2b19bb5ef9bd2fd4b795cc84327671d0a93b0a6f791843

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1536-23-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/1536-25-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/1536-24-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/1536-27-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/1536-28-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/1536-29-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/3344-2-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/3344-1-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/3344-22-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/3344-0-0x0000000074852000-0x0000000074853000-memory.dmp

Filesize
4KB

Download
memory/4768-8-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/4768-18-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads