Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 05:58
Static task
static1
Behavioral task
behavioral1
Sample
b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe
-
Size
78KB
-
MD5
b7265059e8284fc14c4dd91301129fb7
-
SHA1
bf914ff8ab15bbed2cccfb5f1eb80581f2db7920
-
SHA256
830853b1a26a4809184596ac501e7ce156172dc87ba0c1839f882fbaceacf6fd
-
SHA512
f75a15151765e08a1e82f769708b84b77437e629da21e06aa1a96267bb64b76be1d217635b63e33fc092568b08a75860df84fbcfe8d5477a138b064022b1a154
-
SSDEEP
1536:zcPWtHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtv9/x:wPWtHFoI3ZAtWDDILJLovbicqOq3o+nL
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2564 tmp281A.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2488 b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe 2488 b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" tmp281A.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp281A.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2488 b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe Token: SeDebugPrivilege 2564 tmp281A.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2728 2488 b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe 30 PID 2488 wrote to memory of 2728 2488 b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe 30 PID 2488 wrote to memory of 2728 2488 b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe 30 PID 2488 wrote to memory of 2728 2488 b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe 30 PID 2728 wrote to memory of 2792 2728 vbc.exe 32 PID 2728 wrote to memory of 2792 2728 vbc.exe 32 PID 2728 wrote to memory of 2792 2728 vbc.exe 32 PID 2728 wrote to memory of 2792 2728 vbc.exe 32 PID 2488 wrote to memory of 2564 2488 b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe 33 PID 2488 wrote to memory of 2564 2488 b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe 33 PID 2488 wrote to memory of 2564 2488 b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe 33 PID 2488 wrote to memory of 2564 2488 b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ypl3ihrs.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A9A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A99.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2792
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp281A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp281A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56bd52fcf107feb88b3a08e8a88e60403
SHA1d522b145d9d5fbc94b28ded791e70d4a9bf877b4
SHA25605befa0fbee073bdccdc82526b596497803965d91e47a4f115450a781bc2a6f7
SHA512632712fc327f9363a28df0fdeeb0baaa21c41df68fd54412b750fcb230bf092b360d716694b31fe886a1f89b7d256c39d1a366c6c9814d29d1ebb94e53b2d961
-
Filesize
78KB
MD512b47c978cf3f6c4893b5e6e78c7a4fe
SHA16e57f24b69fdfea191eabbbd51ae31ef5cc514b7
SHA2563ab5b9ddb8ada35267888e8e941924d33e4aeef857e7459a34ec2efc0bafb6db
SHA51295e2d3d4ba8a84d7e9252d57b755342e20d01215ae294d86e8f9ea8e360a39180103fd7a1be48fb89baa954670f8c8d8f581e79b745c67137da01a4e5edbed2e
-
Filesize
660B
MD5c9904f183a3e0db9eb94078dde9c5293
SHA1881f8f50f4d857c254d026fd984ecff5f2f53801
SHA256bf34bfb1d50ec7f6df8a653742649d174a2aa90655e0df6631f23db2a1d1fda2
SHA5122ca6328abdcdd024cb81f10eaa373a7e29a30238ba0f9ddb99e1b03782a22c58094a8d664ff7746bfe0309e052c778446be65c12a74f510dd6a807ef27fd10c6
-
Filesize
15KB
MD5397c616772b95f900567e3c866a3fc54
SHA1e16c1d3894f2d2085f4c9042963dfc61a09a7ed3
SHA2560ade343cac69df9438caccb2eae63137bab37c1fbd87d8484be38f88ab679352
SHA512aac21ee5b842f95f8eafadfa5cfc997a9195c6c7343c39419aa3cf1ca8c06f3e989108f001b5d7e83a86d715a2ae13d23dd8afe88df9408e637e45dcca28caa3
-
Filesize
266B
MD563a44c29faf586bd985dcdacf0430af0
SHA12ec954c2ba61a06964495ffeda0aa9d39a18f59c
SHA256f37c71720a5cdf07ca739b3f06f0c2c0b6efa6917e943b536435a441cae4489f
SHA5123a947385ea82e667c0756a7cede03e02e5ebec558aaf166efc3d9f3e1976048c557f45b2e6a0b1bd88011a939779f06efd64b137e31de5402a50ee2633fc79ff
-
Filesize
62KB
MD5a26b0f78faa3881bb6307a944b096e91
SHA142b01830723bf07d14f3086fa83c4f74f5649368
SHA256b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c