metamorpherrat | 57a9ec79b1ec65d09013455cc528ec05155b0b7956f0f3ba75689494a2137951

General

Target

d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe
Size

78KB
MD5

d0e4a9b0bad597752412cb379b98e1aa
SHA1

e27e35d07f13a67d99bb04babc8e4726f513abbf
SHA256

57a9ec79b1ec65d09013455cc528ec05155b0b7956f0f3ba75689494a2137951
SHA512

cb7bd06b3e326d4cc9c4dbb1303eae920efde543de679d9b2cfec5a179a49fe7f35293e720941eae69ab41ab1b63bca97df827afbd311c0cc59337f3ceca1263
SSDEEP

1536:eWtHHJIdXT0XRhyRjVf3HaXOJR0zcEIvCZ1xjs9np/IPioYJbQt+H9/EL1Ib:eWtHpINSyRxvHF5vCbxwpI6W+H9/Eo

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2940	tmpE5FC.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1148	d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe
1148	d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\""	tmpE5FC.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE5FC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1148	d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe
Token: SeDebugPrivilege	2940	tmpE5FC.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2440	1148	d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe	28
PID 1148 wrote to memory of 2440	1148	d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe	28
PID 1148 wrote to memory of 2440	1148	d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe	28
PID 1148 wrote to memory of 2440	1148	d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe	28
PID 2440 wrote to memory of 2220	2440	vbc.exe	30
PID 2440 wrote to memory of 2220	2440	vbc.exe	30
PID 2440 wrote to memory of 2220	2440	vbc.exe	30
PID 2440 wrote to memory of 2220	2440	vbc.exe	30
PID 1148 wrote to memory of 2940	1148	d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe	31
PID 1148 wrote to memory of 2940	1148	d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe	31
PID 1148 wrote to memory of 2940	1148	d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe	31
PID 1148 wrote to memory of 2940	1148	d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gp5ghbn2.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE783.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE782.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2220
- C:\Users\Admin\AppData\Local\Temp\tmpE5FC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE5FC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE783.tmp

Filesize
1KB

MD5
594e3d1e3cf4055bad0ad36e83fd7ea7

SHA1
2f66b3f65ad543e865e81fdb779e62816a8303ff

SHA256
7f0a31b88511ccdac01021d730ebeaf48e0b77ae5b8281712b01484dbef54156

SHA512
8409fb2a3aea15a301a61e6d0f26b2fa2d7780cc3cec1118e26442b35d99056e575aeb0e1e8eca1f05503d52d817f5c9b1634b9c6cf641353b5912b589f9a8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gp5ghbn2.0.vb

Filesize
15KB

MD5
474acc66d57de686b8f7876dca11053b

SHA1
d99afc67dc3a92098a50d7524ed21f708996d54c

SHA256
131468c4eb208a7656bd2aa89e2d849e1bdb69451bebc953f78d63a2ad023aa7

SHA512
66c270bb7ed75f6e3ddb7914df08b439bb4d9fa67514d7b48300cd048d363cd80ff2e2d50960d3d9765668ff8a85cb0de8ebd49e76f5e401081a643bdbb4ba36

Download Submit
C:\Users\Admin\AppData\Local\Temp\gp5ghbn2.cmdline

Filesize
266B

MD5
ade26b8549094c14293965afd1508ad1

SHA1
cb91aa56c655ccf3649a52533df57079ec4ab329

SHA256
ecb7756b115844dbf248330fe928fa87c2e76de762d67bdc9a6c8b21744929f4

SHA512
84aae9ccbed66b543176cd91dec2bdc80b3ef8ea59316d44808336146f7f0ec31165b1a6a6c690b2f9df48dbe15bd3de552a3398089981dc1b7b2468fe8a0eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE5FC.tmp.exe

Filesize
78KB

MD5
06c8fee701b69778f39deb4b82469b96

SHA1
750de365191c082da1eab64fd1ddc2fbac858ea3

SHA256
f9bd6fde93be0010360a480cbd2865bd3dc625e863380c7500c9e0fb4c7d7fe6

SHA512
112ea2a67eb4682d1b38856895ef8eef6cb40996c28e2b8a71405cee002344796df04683fbed88dfb9723cbb80ec8b8ffcff2ce98fc993f64e92d73a963f07bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE782.tmp

Filesize
660B

MD5
ae0e47c8f41ab78264b3cd9e30f3de46

SHA1
5c707cf8a2df638838c8b428d229e0f50e0bb3b9

SHA256
c6306acee7df67e0c2491824c5b807dacf5e0b2483214cdd34b7ea8c3a5f874f

SHA512
07742f5f3179882aba9b018d0dcc4feb259a4b2f7bf3dab369924f024e4b997664779b5c1b6dc70326581ef8a6f646ca7041b65b26b15efd0e2c03089b07236e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
097dd7d3902f824a3960ad33401b539f

SHA1
4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

SHA256
e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

SHA512
bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

Download Submit
memory/1148-0-0x0000000074821000-0x0000000074822000-memory.dmp

Filesize
4KB

Download
memory/1148-1-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/1148-2-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/1148-23-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-8-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-18-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads