Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 13:29

General

  • Target

    bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe

  • Size

    78KB

  • MD5

    bd9b6f7cfa3c3fb00907de25d57946fa

  • SHA1

    127056647ba8ccbc6f8b56abe1670fdcc9df950c

  • SHA256

    d94a0011b59f79b57f2aea31225aee805990c5d7b121edfc8a1fd622bef7968d

  • SHA512

    a3732930b39a0e275aecf70d05cd49d6e3b82984e1f2174f3b36ca6c8c863dac7704feed4c27c6b24f728d168d375cfac53ec50a347929ec0c61eef585efa895

  • SSDEEP

    1536:czWV5jNXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt96159/S1Nf:yWV5j9SyRxvY3md+dWWZyG59/2

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jg7gq7ez.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE39C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE39B.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2036
    • C:\Users\Admin\AppData\Local\Temp\tmpE2A2.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpE2A2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESE39C.tmp

    Filesize

    1KB

    MD5

    d373d4079cbe525c49c8847b1935d93f

    SHA1

    681e0274e652a78c8575ba3d82ab2760ed94c20f

    SHA256

    9a8acb4c2b99d453e892abe5338f0a587f30516bea6a068a320e98f7e9c5d1ec

    SHA512

    8b8a283e0e35333326ab032d5459a5f797c840aa89bf48940dec9d26639b4882554df4a2e7eb0d2e8bfd5a78985ecac7ee394a3d047d7ade069b819c16b97a92

  • C:\Users\Admin\AppData\Local\Temp\jg7gq7ez.0.vb

    Filesize

    14KB

    MD5

    fc9a192894ced9aef7e8b9ca13dd3d93

    SHA1

    62bb165adc28235226821184c122932d6e50f278

    SHA256

    9b963ab583c8b7313e626f087686d9ab4875b3cfed6cea76dde76fe53ecd33fd

    SHA512

    b562edeeedceb38d3b2b04959e808c2a0e2ae323bca8ff6a0916107493cffa54e77317807fbfa27c2cd3e2d9a647df7c2db08a4c7147938675393de1bdd85d22

  • C:\Users\Admin\AppData\Local\Temp\jg7gq7ez.cmdline

    Filesize

    266B

    MD5

    a3d1ab5d2cc4e3cfe7a48398d7dbae30

    SHA1

    ddcd39788125ccd77f76901c17673aa117915ef5

    SHA256

    6369673335f3459f89726b28335085ef133cb1ab032490411dfc91f8464fe47a

    SHA512

    fc4b2e3c68334c0f12e18ddfafbb20cfdffbea75d5664744d5036d6223ccbcfd4621c6e0297d01d9059fc030bea3475a035323be7f1042ea4b22ac044c195221

  • C:\Users\Admin\AppData\Local\Temp\tmpE2A2.tmp.exe

    Filesize

    78KB

    MD5

    f4054b999a8c360527e7160810b63431

    SHA1

    f5892079209d9e13086c4cf4cdb3f9ba3c43872c

    SHA256

    ad1ab2e795882ba23ca077e39dd88fb0968206cc044945cebf8c4dbc04378c45

    SHA512

    7483d2285cd5f2b0c9a74ab547b50393cdfcc6cecff28e354dd480aca6804a122778e1699ae2d505898757067ac65299834554b85d831c635dc66891d8108fc7

  • C:\Users\Admin\AppData\Local\Temp\vbcE39B.tmp

    Filesize

    660B

    MD5

    ee7f8352dbf07d70cf7ec0f1cd9ca055

    SHA1

    c8008c38adba712b1cc36e1a0901d5f1be41d455

    SHA256

    f76e2ab505e9a4d555c8de02e142bd1fdbc0bc2e29a1bf3dea1036a0a63e12d0

    SHA512

    aacbb922f6a72abb3dfe20d7613218de8d31962a2d70c3f096beb32f1323dfdaad94e18c576b570363cabb291f0d2eef8b6f468975fa6213eb14c14c31c676ed

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    4f0e8cf79edb6cd381474b21cabfdf4a

    SHA1

    7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

    SHA256

    e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

    SHA512

    2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

  • memory/1628-0-0x0000000074381000-0x0000000074382000-memory.dmp

    Filesize

    4KB

  • memory/1628-1-0x0000000074380000-0x000000007492B000-memory.dmp

    Filesize

    5.7MB

  • memory/1628-2-0x0000000074380000-0x000000007492B000-memory.dmp

    Filesize

    5.7MB

  • memory/1628-24-0x0000000074380000-0x000000007492B000-memory.dmp

    Filesize

    5.7MB

  • memory/2500-9-0x0000000074380000-0x000000007492B000-memory.dmp

    Filesize

    5.7MB

  • memory/2500-18-0x0000000074380000-0x000000007492B000-memory.dmp

    Filesize

    5.7MB