Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-12-2024 13:29
Static task
static1
Behavioral task
behavioral1
Sample
bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe
-
Size
78KB
-
MD5
bd9b6f7cfa3c3fb00907de25d57946fa
-
SHA1
127056647ba8ccbc6f8b56abe1670fdcc9df950c
-
SHA256
d94a0011b59f79b57f2aea31225aee805990c5d7b121edfc8a1fd622bef7968d
-
SHA512
a3732930b39a0e275aecf70d05cd49d6e3b82984e1f2174f3b36ca6c8c863dac7704feed4c27c6b24f728d168d375cfac53ec50a347929ec0c61eef585efa895
-
SSDEEP
1536:czWV5jNXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt96159/S1Nf:yWV5j9SyRxvY3md+dWWZyG59/2
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2192 tmpE2A2.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 1628 bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe 1628 bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmpE2A2.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpE2A2.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1628 bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe Token: SeDebugPrivilege 2192 tmpE2A2.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1628 wrote to memory of 2500 1628 bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe 31 PID 1628 wrote to memory of 2500 1628 bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe 31 PID 1628 wrote to memory of 2500 1628 bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe 31 PID 1628 wrote to memory of 2500 1628 bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe 31 PID 2500 wrote to memory of 2036 2500 vbc.exe 33 PID 2500 wrote to memory of 2036 2500 vbc.exe 33 PID 2500 wrote to memory of 2036 2500 vbc.exe 33 PID 2500 wrote to memory of 2036 2500 vbc.exe 33 PID 1628 wrote to memory of 2192 1628 bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe 34 PID 1628 wrote to memory of 2192 1628 bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe 34 PID 1628 wrote to memory of 2192 1628 bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe 34 PID 1628 wrote to memory of 2192 1628 bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jg7gq7ez.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE39C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE39B.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2036
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpE2A2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE2A2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d373d4079cbe525c49c8847b1935d93f
SHA1681e0274e652a78c8575ba3d82ab2760ed94c20f
SHA2569a8acb4c2b99d453e892abe5338f0a587f30516bea6a068a320e98f7e9c5d1ec
SHA5128b8a283e0e35333326ab032d5459a5f797c840aa89bf48940dec9d26639b4882554df4a2e7eb0d2e8bfd5a78985ecac7ee394a3d047d7ade069b819c16b97a92
-
Filesize
14KB
MD5fc9a192894ced9aef7e8b9ca13dd3d93
SHA162bb165adc28235226821184c122932d6e50f278
SHA2569b963ab583c8b7313e626f087686d9ab4875b3cfed6cea76dde76fe53ecd33fd
SHA512b562edeeedceb38d3b2b04959e808c2a0e2ae323bca8ff6a0916107493cffa54e77317807fbfa27c2cd3e2d9a647df7c2db08a4c7147938675393de1bdd85d22
-
Filesize
266B
MD5a3d1ab5d2cc4e3cfe7a48398d7dbae30
SHA1ddcd39788125ccd77f76901c17673aa117915ef5
SHA2566369673335f3459f89726b28335085ef133cb1ab032490411dfc91f8464fe47a
SHA512fc4b2e3c68334c0f12e18ddfafbb20cfdffbea75d5664744d5036d6223ccbcfd4621c6e0297d01d9059fc030bea3475a035323be7f1042ea4b22ac044c195221
-
Filesize
78KB
MD5f4054b999a8c360527e7160810b63431
SHA1f5892079209d9e13086c4cf4cdb3f9ba3c43872c
SHA256ad1ab2e795882ba23ca077e39dd88fb0968206cc044945cebf8c4dbc04378c45
SHA5127483d2285cd5f2b0c9a74ab547b50393cdfcc6cecff28e354dd480aca6804a122778e1699ae2d505898757067ac65299834554b85d831c635dc66891d8108fc7
-
Filesize
660B
MD5ee7f8352dbf07d70cf7ec0f1cd9ca055
SHA1c8008c38adba712b1cc36e1a0901d5f1be41d455
SHA256f76e2ab505e9a4d555c8de02e142bd1fdbc0bc2e29a1bf3dea1036a0a63e12d0
SHA512aacbb922f6a72abb3dfe20d7613218de8d31962a2d70c3f096beb32f1323dfdaad94e18c576b570363cabb291f0d2eef8b6f468975fa6213eb14c14c31c676ed
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107