metamorpherrat | 76d1d11f8e3ed8a19fc38a55dde6e9f3a70026e0d25e21ebc04a8279e483a706

General

Target

bae192a976dbe9da0775683e7e7aa3b4_JaffaCakes118.exe
Size

78KB
MD5

bae192a976dbe9da0775683e7e7aa3b4
SHA1

6396f81af2c9695567f36c22c7afab6830bf364f
SHA256

76d1d11f8e3ed8a19fc38a55dde6e9f3a70026e0d25e21ebc04a8279e483a706
SHA512

fc65c625c22bb39da3cb0bc2cba35b72cafc131cb924d21b07d7e2f0a2b2b2217d14d1771d8066c2f4a1bb9428507a6c2ce8736db4ca6f74270cc5d305531540
SSDEEP

1536:aPWtHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC9/CS1Fu:aPWtHFonhASyRxvhTzXPvCbW2UC9/C

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	bae192a976dbe9da0775683e7e7aa3b4_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2844	tmp955A.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2844	tmp955A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp955A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bae192a976dbe9da0775683e7e7aa3b4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp955A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	bae192a976dbe9da0775683e7e7aa3b4_JaffaCakes118.exe
Token: SeDebugPrivilege	2844	tmp955A.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2364	1668	bae192a976dbe9da0775683e7e7aa3b4_JaffaCakes118.exe	82
PID 1668 wrote to memory of 2364	1668	bae192a976dbe9da0775683e7e7aa3b4_JaffaCakes118.exe	82
PID 1668 wrote to memory of 2364	1668	bae192a976dbe9da0775683e7e7aa3b4_JaffaCakes118.exe	82
PID 2364 wrote to memory of 2260	2364	vbc.exe	84
PID 2364 wrote to memory of 2260	2364	vbc.exe	84
PID 2364 wrote to memory of 2260	2364	vbc.exe	84
PID 1668 wrote to memory of 2844	1668	bae192a976dbe9da0775683e7e7aa3b4_JaffaCakes118.exe	85
PID 1668 wrote to memory of 2844	1668	bae192a976dbe9da0775683e7e7aa3b4_JaffaCakes118.exe	85
PID 1668 wrote to memory of 2844	1668	bae192a976dbe9da0775683e7e7aa3b4_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\bae192a976dbe9da0775683e7e7aa3b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bae192a976dbe9da0775683e7e7aa3b4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\slthcmou.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97BC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCDF6D13CD370407D862E23889F634F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2260
- C:\Users\Admin\AppData\Local\Temp\tmp955A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp955A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bae192a976dbe9da0775683e7e7aa3b4_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES97BC.tmp

Filesize
1KB

MD5
a52957edca81869a98b3ae11d3da7f08

SHA1
1f3ea75362c72ffc42c2907046f849032eadd29c

SHA256
87271c790b244a62d0b2e64f27d3a4ba39e93630cad27fb2ccb7c8c8ae592dc8

SHA512
4b827329e730c37946f777d48a9bea82d48acc1816b873c35bfedd0bee3084193086053927194323890e892f402e013f7763e6a4724cee328c5b41178aafb6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\slthcmou.0.vb

Filesize
15KB

MD5
92c887acdfbdff9a40139354d26b9db3

SHA1
be6f4e876a89a5a5c1a6b200d098dcd4a82a355d

SHA256
1cf0ad5d7aa87ffae956c3ff10ecf1b3d8c9df77a9c2ef8f539c84907af1a5fe

SHA512
ddc0461d8abe464c9dbf33be747a4cd0fc2c723e76bb2acae9cb3cb20dde043cffa897fb4f2c0e8f4542a92750eecb9b7b98aa959433cdac2b58745623f4d453

Download Submit
C:\Users\Admin\AppData\Local\Temp\slthcmou.cmdline

Filesize
266B

MD5
5e55e5b15f6152af10d301a48919ae8c

SHA1
ef3be18e5c1faad35fcfe2f8c9fe1068be2794a4

SHA256
5fc24a6be4f9719650e6625a29884c22aee173a04b69f76b3b0b19ea77e4c3bd

SHA512
cd9ee43966cf54f1590e3abdaf02ff81b47f67f3cd628759b271051c51e8dc249148a0a9523ab06b815f47eac71bb88b69ad22e7b89362427f9081c352df9881

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp955A.tmp.exe

Filesize
78KB

MD5
b0d1514200a8981eed7c2901be541856

SHA1
2bb7c53ba03ee1206c02721210afe43f66eddaa9

SHA256
03c7fcba79812d4c87f46d63dea303cab1489ff8049fe1f4c43d8e43fd84acbd

SHA512
bd2bd35833458bb8017213d4437d537854a75eac6ac2a4ccf7662d56dbf03afffd00925e3128a085a1791ee36a9ced4b5965ee34539b49d969c49a3e1ff8977c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCDF6D13CD370407D862E23889F634F.TMP

Filesize
660B

MD5
2b3a2e19e957145a3d5f4bafb4e67765

SHA1
399dbdd6a68f054a2a4093ba52e35cc60e71f2c8

SHA256
7d266abc466ce02092518f9712c6f9f370d6900d455390e3bbf9d30c371a51dc

SHA512
71d2b73cef9ab4227575a4b58065e47cb708fe51495467fc1cca4a3f774c8beb6778fe3a6f876aea54cefbcb1f2cc3e7a33a6c9c0db1d7e63592ef1545e69272

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1668-0-0x0000000074EC2000-0x0000000074EC3000-memory.dmp

Filesize
4KB

Download
memory/1668-1-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/1668-2-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/1668-22-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2364-18-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2364-9-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2844-23-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2844-24-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2844-26-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2844-27-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2844-28-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads