Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 05:37

General

  • Target

    d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe

  • Size

    78KB

  • MD5

    d0e4a9b0bad597752412cb379b98e1aa

  • SHA1

    e27e35d07f13a67d99bb04babc8e4726f513abbf

  • SHA256

    57a9ec79b1ec65d09013455cc528ec05155b0b7956f0f3ba75689494a2137951

  • SHA512

    cb7bd06b3e326d4cc9c4dbb1303eae920efde543de679d9b2cfec5a179a49fe7f35293e720941eae69ab41ab1b63bca97df827afbd311c0cc59337f3ceca1263

  • SSDEEP

    1536:eWtHHJIdXT0XRhyRjVf3HaXOJR0zcEIvCZ1xjs9np/IPioYJbQt+H9/EL1Ib:eWtHpINSyRxvHF5vCbxwpI6W+H9/Eo

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mboalvko.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1BC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5F40C2F08BFB4C88A952C5F830341A2E.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1936
    • C:\Users\Admin\AppData\Local\Temp\tmpAEED.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpAEED.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESB1BC.tmp

    Filesize

    1KB

    MD5

    0774a65668e1d0ec9408c4d17441b2a7

    SHA1

    609d7acd4d6bbc54aabb1402abacece907d433d2

    SHA256

    9cd98e72270dfbb4274a470e3b812a123d9c21ef5e21b9b40ba778c814893913

    SHA512

    1185fafe9afe6e1323f04ed73b51108d19eff4ca72bf1a484bbbef4b121eebd9c976560be842f7128b8a28be2404de17f501181ab130f7211db1201b15999065

  • C:\Users\Admin\AppData\Local\Temp\mboalvko.0.vb

    Filesize

    15KB

    MD5

    1e62518d58908de61d8bc11ef260cfdd

    SHA1

    6f27da865a4df57695fe090cee61522e6de682a1

    SHA256

    fe89f305971b64dc20d76751da006e3573b37bdc1218a812d680036c85bfcca0

    SHA512

    a641e6482b24658d449e78bf186b1152314e3648a1fc532aec4e1db6439c45d53aa27834c2ae3e563cba2128a4e72afda9ef60902749c537d38b63aacb31ddef

  • C:\Users\Admin\AppData\Local\Temp\mboalvko.cmdline

    Filesize

    266B

    MD5

    caffd3629d3c6df5a4096d9e0c70b52e

    SHA1

    ebb256a0e88996260a6a4de12ef9a98a17c19503

    SHA256

    072153cd0a3f1c4a46cdeb0695a4c07c0d563ead8e16325ec65d375c121ee2cc

    SHA512

    384cd03e05597a5f5ab828601e68c90cbfeab31a8210dd39cf3eb9d205fb44988e82055bc22c4e2a8adcdfed795d4446eb14b58dd9163645812636db8c223528

  • C:\Users\Admin\AppData\Local\Temp\tmpAEED.tmp.exe

    Filesize

    78KB

    MD5

    513f94e9c4612cf0261c5fe35ae0386e

    SHA1

    895ec8d4b6dabd6ed6252c9241b41d13312c903c

    SHA256

    6f70cb70c51163cdf851218d41f816dd352f60b139b1abd110bb0a5616c90899

    SHA512

    476fc23c273cddc724bed12848baa39d50c90cabc193a05063794e0df91e8fc6c3b6348a530ac1674d1fa5653d816b72b1d3080db6e5730e55da85ba76e7206e

  • C:\Users\Admin\AppData\Local\Temp\vbc5F40C2F08BFB4C88A952C5F830341A2E.TMP

    Filesize

    660B

    MD5

    7fbbf66434ad16a7ce02c575c0d5f912

    SHA1

    00d0319316aa1737ea2b110a7db5ca5e98179a48

    SHA256

    0bde00cb9d8fa1676ecc0c0f1258cfc693f2552ff44f39da4eb303ab893eccf8

    SHA512

    91428b8b111852c8c222cf51f09700b886d941ef31b12492306558d382fec8540392cbaf40e161aba949be8fae49f52aec09e6dbdb3371c10355de710b055eea

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    097dd7d3902f824a3960ad33401b539f

    SHA1

    4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

    SHA256

    e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

    SHA512

    bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

  • memory/2156-1-0x0000000074E60000-0x0000000075411000-memory.dmp

    Filesize

    5.7MB

  • memory/2156-2-0x0000000074E60000-0x0000000075411000-memory.dmp

    Filesize

    5.7MB

  • memory/2156-0-0x0000000074E62000-0x0000000074E63000-memory.dmp

    Filesize

    4KB

  • memory/2156-22-0x0000000074E60000-0x0000000075411000-memory.dmp

    Filesize

    5.7MB

  • memory/2440-23-0x0000000074E60000-0x0000000075411000-memory.dmp

    Filesize

    5.7MB

  • memory/2440-24-0x0000000074E60000-0x0000000075411000-memory.dmp

    Filesize

    5.7MB

  • memory/2440-26-0x0000000074E60000-0x0000000075411000-memory.dmp

    Filesize

    5.7MB

  • memory/2440-27-0x0000000074E60000-0x0000000075411000-memory.dmp

    Filesize

    5.7MB

  • memory/2440-28-0x0000000074E60000-0x0000000075411000-memory.dmp

    Filesize

    5.7MB

  • memory/2872-18-0x0000000074E60000-0x0000000075411000-memory.dmp

    Filesize

    5.7MB

  • memory/2872-8-0x0000000074E60000-0x0000000075411000-memory.dmp

    Filesize

    5.7MB