Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2024 05:58
Static task
static1
Behavioral task
behavioral1
Sample
b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe
-
Size
78KB
-
MD5
b7265059e8284fc14c4dd91301129fb7
-
SHA1
bf914ff8ab15bbed2cccfb5f1eb80581f2db7920
-
SHA256
830853b1a26a4809184596ac501e7ce156172dc87ba0c1839f882fbaceacf6fd
-
SHA512
f75a15151765e08a1e82f769708b84b77437e629da21e06aa1a96267bb64b76be1d217635b63e33fc092568b08a75860df84fbcfe8d5477a138b064022b1a154
-
SSDEEP
1536:zcPWtHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtv9/x:wPWtHFoI3ZAtWDDILJLovbicqOq3o+nL
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4284 tmpB045.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" tmpB045.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB045.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2816 b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe Token: SeDebugPrivilege 4284 tmpB045.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2816 wrote to memory of 1700 2816 b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe 83 PID 2816 wrote to memory of 1700 2816 b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe 83 PID 2816 wrote to memory of 1700 2816 b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe 83 PID 1700 wrote to memory of 2328 1700 vbc.exe 85 PID 1700 wrote to memory of 2328 1700 vbc.exe 85 PID 1700 wrote to memory of 2328 1700 vbc.exe 85 PID 2816 wrote to memory of 4284 2816 b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe 86 PID 2816 wrote to memory of 4284 2816 b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe 86 PID 2816 wrote to memory of 4284 2816 b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xvaac5xf.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1BC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3F1AB1D960C4BE3AD9EA6A315104BC8.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2328
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB045.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB045.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b7265059e8284fc14c4dd91301129fb7_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c2214ec478d1b32dcd9731afc95c1116
SHA122045923d96597f4b12e0dde0f8c0b0e1641edae
SHA256ea39624f4163bd59f6d2878d3954be9b8ec4f7f78b944b27f759868f7006f0b6
SHA51297e5eb0eadcde96caac7324524fa74a168f4ed0801366dc8c4770985ac8efaf3f3ec1cb182921863f3e0168358b27989985647f1a9a6ce204b11e854fcf5de74
-
Filesize
78KB
MD50753ed26ceecc730b75484e686264970
SHA151ae3efdaf156b34abc334ac96ad4427467758b8
SHA25670f4808b605f0ada37bd188f2f0d166d0c880c1e2d1cbd5cc3877ec62f18efe9
SHA51271254699ca61dc24a3890babdbd01d54226b3f79041bea2d46bf93be59f1438196214eceb8de68153b105ad8114d4efe9a6bd6ea77ad1c9714f4a71c0f167595
-
Filesize
660B
MD59d408ac582b9b8c1652963918d80a6fc
SHA1b853d720301bc7435bef14126d3ee89bf1504712
SHA2567431da1a1dedd5e103fb76be0036d81bca9d875d4d852fb4f624cc3cc70dc7a6
SHA5125069a880ad401bd0b8a0cec3f3a75408b2cad727f6edbc6c3b6d8a345229e4fb0d763ac93330311c8df5c00f130eadc75638ed3bd216b55ba01bf4f75cf701d1
-
Filesize
15KB
MD554bb2c91fa656b5562e59b9f8d79433e
SHA1a972b9683f1268c50ddd108a39c0b21298a10883
SHA25616bafa5d4e9a0e5c6bb7805af3c6347f9882c895dfce3078974eb917a3bc0b28
SHA5127578328096833a70fa68569aa84596f13e87f7e292b1f3c7bbac4d9949d2b6a103c1b8490740ccc66839b628b6038bfaf1bea793fa8c50eb78e57a7db2a5bf27
-
Filesize
266B
MD5716f0f0b2de8c123f3aef51ccc46b2e6
SHA14c10b7da36ce32f206b6c0470b4e20ecb8931cf2
SHA2568162b60507673c50327ab4bc0e569ff9cc3517ff7ee8454f19bced1ddc27a7cb
SHA5126d836b3aae1607f56841b0619358887612cb681336e64668a3a9ed4d7663abcc1a982a35642305f8dc138a764a294ad6e7ecb5839849d02790c2bb8618b55f04
-
Filesize
62KB
MD5a26b0f78faa3881bb6307a944b096e91
SHA142b01830723bf07d14f3086fa83c4f74f5649368
SHA256b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c