Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 05:37
Static task
static1
Behavioral task
behavioral1
Sample
d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe
-
Size
78KB
-
MD5
d0e4a9b0bad597752412cb379b98e1aa
-
SHA1
e27e35d07f13a67d99bb04babc8e4726f513abbf
-
SHA256
57a9ec79b1ec65d09013455cc528ec05155b0b7956f0f3ba75689494a2137951
-
SHA512
cb7bd06b3e326d4cc9c4dbb1303eae920efde543de679d9b2cfec5a179a49fe7f35293e720941eae69ab41ab1b63bca97df827afbd311c0cc59337f3ceca1263
-
SSDEEP
1536:eWtHHJIdXT0XRhyRjVf3HaXOJR0zcEIvCZ1xjs9np/IPioYJbQt+H9/EL1Ib:eWtHpINSyRxvHF5vCbxwpI6W+H9/Eo
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2440 tmpAEED.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\"" tmpAEED.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpAEED.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2156 d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe Token: SeDebugPrivilege 2440 tmpAEED.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2872 2156 d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe 85 PID 2156 wrote to memory of 2872 2156 d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe 85 PID 2156 wrote to memory of 2872 2156 d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe 85 PID 2872 wrote to memory of 1936 2872 vbc.exe 87 PID 2872 wrote to memory of 1936 2872 vbc.exe 87 PID 2872 wrote to memory of 1936 2872 vbc.exe 87 PID 2156 wrote to memory of 2440 2156 d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe 88 PID 2156 wrote to memory of 2440 2156 d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe 88 PID 2156 wrote to memory of 2440 2156 d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mboalvko.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1BC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5F40C2F08BFB4C88A952C5F830341A2E.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:1936
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpAEED.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAEED.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d0e4a9b0bad597752412cb379b98e1aa_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50774a65668e1d0ec9408c4d17441b2a7
SHA1609d7acd4d6bbc54aabb1402abacece907d433d2
SHA2569cd98e72270dfbb4274a470e3b812a123d9c21ef5e21b9b40ba778c814893913
SHA5121185fafe9afe6e1323f04ed73b51108d19eff4ca72bf1a484bbbef4b121eebd9c976560be842f7128b8a28be2404de17f501181ab130f7211db1201b15999065
-
Filesize
15KB
MD51e62518d58908de61d8bc11ef260cfdd
SHA16f27da865a4df57695fe090cee61522e6de682a1
SHA256fe89f305971b64dc20d76751da006e3573b37bdc1218a812d680036c85bfcca0
SHA512a641e6482b24658d449e78bf186b1152314e3648a1fc532aec4e1db6439c45d53aa27834c2ae3e563cba2128a4e72afda9ef60902749c537d38b63aacb31ddef
-
Filesize
266B
MD5caffd3629d3c6df5a4096d9e0c70b52e
SHA1ebb256a0e88996260a6a4de12ef9a98a17c19503
SHA256072153cd0a3f1c4a46cdeb0695a4c07c0d563ead8e16325ec65d375c121ee2cc
SHA512384cd03e05597a5f5ab828601e68c90cbfeab31a8210dd39cf3eb9d205fb44988e82055bc22c4e2a8adcdfed795d4446eb14b58dd9163645812636db8c223528
-
Filesize
78KB
MD5513f94e9c4612cf0261c5fe35ae0386e
SHA1895ec8d4b6dabd6ed6252c9241b41d13312c903c
SHA2566f70cb70c51163cdf851218d41f816dd352f60b139b1abd110bb0a5616c90899
SHA512476fc23c273cddc724bed12848baa39d50c90cabc193a05063794e0df91e8fc6c3b6348a530ac1674d1fa5653d816b72b1d3080db6e5730e55da85ba76e7206e
-
Filesize
660B
MD57fbbf66434ad16a7ce02c575c0d5f912
SHA100d0319316aa1737ea2b110a7db5ca5e98179a48
SHA2560bde00cb9d8fa1676ecc0c0f1258cfc693f2552ff44f39da4eb303ab893eccf8
SHA51291428b8b111852c8c222cf51f09700b886d941ef31b12492306558d382fec8540392cbaf40e161aba949be8fae49f52aec09e6dbdb3371c10355de710b055eea
-
Filesize
62KB
MD5097dd7d3902f824a3960ad33401b539f
SHA14e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f
SHA256e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f
SHA512bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4