Analysis
-
max time kernel
149s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 13:29
Static task
static1
Behavioral task
behavioral1
Sample
bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe
-
Size
78KB
-
MD5
bd9b6f7cfa3c3fb00907de25d57946fa
-
SHA1
127056647ba8ccbc6f8b56abe1670fdcc9df950c
-
SHA256
d94a0011b59f79b57f2aea31225aee805990c5d7b121edfc8a1fd622bef7968d
-
SHA512
a3732930b39a0e275aecf70d05cd49d6e3b82984e1f2174f3b36ca6c8c863dac7704feed4c27c6b24f728d168d375cfac53ec50a347929ec0c61eef585efa895
-
SSDEEP
1536:czWV5jNXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt96159/S1Nf:yWV5j9SyRxvY3md+dWWZyG59/2
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2704 tmp9BE2.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp9BE2.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9BE2.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4648 bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe Token: SeDebugPrivilege 2704 tmp9BE2.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4648 wrote to memory of 5068 4648 bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe 83 PID 4648 wrote to memory of 5068 4648 bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe 83 PID 4648 wrote to memory of 5068 4648 bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe 83 PID 5068 wrote to memory of 512 5068 vbc.exe 85 PID 5068 wrote to memory of 512 5068 vbc.exe 85 PID 5068 wrote to memory of 512 5068 vbc.exe 85 PID 4648 wrote to memory of 2704 4648 bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe 86 PID 4648 wrote to memory of 2704 4648 bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe 86 PID 4648 wrote to memory of 2704 4648 bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0qanucjt.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D88.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc333416CD202F488F9C63D7815EEB6577.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:512
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bd9b6f7cfa3c3fb00907de25d57946fa_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5642a937394513a178520a16f47b3ec07
SHA1b8aa7f3f1b2fb99432e3ea4d4ba4ce370814419d
SHA2560fc2cb7be33a65161691756a3ff02dc17a1568bd4fe4bf4c0adc25455e8de801
SHA5122434bdd54c8224270bb0b52394779f3c45c843d93d022316a455077a4de5c2fcc75af1bb280b1cd43d9defc6bbdbcf18415c15bdce21070c153804ab8eb1e2f9
-
Filesize
266B
MD545f2178ef3fb49396445b86a8e81a66c
SHA10b2764888ab8ff276152704ddfb7701442ecd3df
SHA25631935bd92a3b7765966ca92d09f555d9486f604ea3aa0a773ad4fd2c6960f9c9
SHA512848450224aee073b01558b6c755379b9f36c8a1d61ef59b42338a9a43b232bc41dd107c9fc841e0349f3988fe63c9b3c3d8e98b51d2bf76a679ac91e4184d285
-
Filesize
1KB
MD596dee95e688c9576df31176848e7530d
SHA1ca7700ddca04c4f48697921895f7c4eb3ca30a32
SHA2568c62e50c306bb4116b945d309f4474e424c67706e93ba9d630d923fd1117de2d
SHA5123fc3e5e3f27a835346d88a62da2a913a3bdbebcf3da87ab7fc1c1817fcd6eae06ec0ff3ae3b50d4ac53137921469dcb2f792a11bcd55dd0df5022c5e260e4f93
-
Filesize
78KB
MD57c13511dd9c40973c2128c72e55e2f7a
SHA17a45d5664dbe7a4577d5ab519dae6513955dd17c
SHA256ba59cb645a4da18f35362aaab21c0051aa7707c4002fb9dda53034c84e4624b9
SHA51291d3fd3532edd646ed5dda261a84af3f5ff14aeb01d64af778af87066097bc82f36eee8af14d66f1b7f99a0961225639ac25b32932f26c7d5694396424fdd628
-
Filesize
660B
MD5e1118bd46f68b09a89b1209920f79a06
SHA13fd3b522e7278dd4e796f18d73ae34101bf645d9
SHA256123412959e54a1a24cd0cabd601ce3e98b03d1a7ee781f4b81ad2e251762dcb9
SHA512dd2f4b334af6c9c4272100442941798e0d1d0a967d89c5ed93c5646ac3abc0a774a6e171c506fee015a984925771a64be9d0e80fd59641dce0a6592b4f03a736
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107