Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2024 05:58

General

  • Target

    b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe

  • Size

    78KB

  • MD5

    b7265059e8284fc14c4dd91301129fb7

  • SHA1

    bf914ff8ab15bbed2cccfb5f1eb80581f2db7920

  • SHA256

    830853b1a26a4809184596ac501e7ce156172dc87ba0c1839f882fbaceacf6fd

  • SHA512

    f75a15151765e08a1e82f769708b84b77437e629da21e06aa1a96267bb64b76be1d217635b63e33fc092568b08a75860df84fbcfe8d5477a138b064022b1a154

  • SSDEEP

    1536:zcPWtHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtv9/x:wPWtHFoI3ZAtWDDILJLovbicqOq3o+nL

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ypl3ihrs.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A9A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A99.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2792
    • C:\Users\Admin\AppData\Local\Temp\tmp281A.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp281A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES2A9A.tmp

    Filesize

    1KB

    MD5

    6bd52fcf107feb88b3a08e8a88e60403

    SHA1

    d522b145d9d5fbc94b28ded791e70d4a9bf877b4

    SHA256

    05befa0fbee073bdccdc82526b596497803965d91e47a4f115450a781bc2a6f7

    SHA512

    632712fc327f9363a28df0fdeeb0baaa21c41df68fd54412b750fcb230bf092b360d716694b31fe886a1f89b7d256c39d1a366c6c9814d29d1ebb94e53b2d961

  • C:\Users\Admin\AppData\Local\Temp\tmp281A.tmp.exe

    Filesize

    78KB

    MD5

    12b47c978cf3f6c4893b5e6e78c7a4fe

    SHA1

    6e57f24b69fdfea191eabbbd51ae31ef5cc514b7

    SHA256

    3ab5b9ddb8ada35267888e8e941924d33e4aeef857e7459a34ec2efc0bafb6db

    SHA512

    95e2d3d4ba8a84d7e9252d57b755342e20d01215ae294d86e8f9ea8e360a39180103fd7a1be48fb89baa954670f8c8d8f581e79b745c67137da01a4e5edbed2e

  • C:\Users\Admin\AppData\Local\Temp\vbc2A99.tmp

    Filesize

    660B

    MD5

    c9904f183a3e0db9eb94078dde9c5293

    SHA1

    881f8f50f4d857c254d026fd984ecff5f2f53801

    SHA256

    bf34bfb1d50ec7f6df8a653742649d174a2aa90655e0df6631f23db2a1d1fda2

    SHA512

    2ca6328abdcdd024cb81f10eaa373a7e29a30238ba0f9ddb99e1b03782a22c58094a8d664ff7746bfe0309e052c778446be65c12a74f510dd6a807ef27fd10c6

  • C:\Users\Admin\AppData\Local\Temp\ypl3ihrs.0.vb

    Filesize

    15KB

    MD5

    397c616772b95f900567e3c866a3fc54

    SHA1

    e16c1d3894f2d2085f4c9042963dfc61a09a7ed3

    SHA256

    0ade343cac69df9438caccb2eae63137bab37c1fbd87d8484be38f88ab679352

    SHA512

    aac21ee5b842f95f8eafadfa5cfc997a9195c6c7343c39419aa3cf1ca8c06f3e989108f001b5d7e83a86d715a2ae13d23dd8afe88df9408e637e45dcca28caa3

  • C:\Users\Admin\AppData\Local\Temp\ypl3ihrs.cmdline

    Filesize

    266B

    MD5

    63a44c29faf586bd985dcdacf0430af0

    SHA1

    2ec954c2ba61a06964495ffeda0aa9d39a18f59c

    SHA256

    f37c71720a5cdf07ca739b3f06f0c2c0b6efa6917e943b536435a441cae4489f

    SHA512

    3a947385ea82e667c0756a7cede03e02e5ebec558aaf166efc3d9f3e1976048c557f45b2e6a0b1bd88011a939779f06efd64b137e31de5402a50ee2633fc79ff

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    a26b0f78faa3881bb6307a944b096e91

    SHA1

    42b01830723bf07d14f3086fa83c4f74f5649368

    SHA256

    b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

    SHA512

    a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

  • memory/2488-0-0x0000000074091000-0x0000000074092000-memory.dmp

    Filesize

    4KB

  • memory/2488-1-0x0000000074090000-0x000000007463B000-memory.dmp

    Filesize

    5.7MB

  • memory/2488-2-0x0000000074090000-0x000000007463B000-memory.dmp

    Filesize

    5.7MB

  • memory/2488-24-0x0000000074090000-0x000000007463B000-memory.dmp

    Filesize

    5.7MB

  • memory/2728-8-0x0000000074090000-0x000000007463B000-memory.dmp

    Filesize

    5.7MB

  • memory/2728-18-0x0000000074090000-0x000000007463B000-memory.dmp

    Filesize

    5.7MB