Analysis

  • max time kernel
    140s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-12-2024 23:01

General

  • Target

    deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe

  • Size

    78KB

  • MD5

    deddb4c05d21ebfe287148692017b375

  • SHA1

    fc5e251b39d49f7d93b024dac1cac07113b17ec9

  • SHA256

    1a9ee379fa99ac78be460d500492e050d21965cd8f0575c4fb2fd2830278633c

  • SHA512

    28645e2dd19be55f86153d31c0942f29b55ff6d8e6c972fab1f67caf9832bb095689f0c79fb6e6efb0192b7206f9dccc9e85bb10e38891ea5ec227b3a7a5b65c

  • SSDEEP

    1536:15jSfXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96T9/+s12D:15jS/SyRxvhTzXPvCbW2Uo9/a

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7vcphv25.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES842E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc842D.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1732
    • C:\Users\Admin\AppData\Local\Temp\tmp82E6.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp82E6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7vcphv25.0.vb

    Filesize

    14KB

    MD5

    3fefff7a57c0303a17ebefdd3dc4d58f

    SHA1

    0d69fccc9ac782e2f043401f86d9ddeb800e7ff4

    SHA256

    b7d609c11934a0b1f8728384882a26734a48963c2f2ee00315edc256f20d4f69

    SHA512

    cb826888fb1ebf40b40c04baeb66aa0de1a42940ec9967a868f9fa195d92fd4541d11f6adb93a4f8be954253f2b30448ce20cb47d6e153e175b16d8775bd46b9

  • C:\Users\Admin\AppData\Local\Temp\7vcphv25.cmdline

    Filesize

    266B

    MD5

    1a41835929249c15a2c3a6f24818108d

    SHA1

    3c4233f304cc47eeecc5b38175125ac2ad66e7c4

    SHA256

    f3da2c880781df97731f958e602f7ad2334de81f42756ae16f1a79a19ce9b022

    SHA512

    98c380b4ed71353c786098c868dd70b284ec708c3307bac2956e30dbb12ba330a419196cd4c85d40b2e074410a64e807387dd06676e6c0970761eba092e965eb

  • C:\Users\Admin\AppData\Local\Temp\RES842E.tmp

    Filesize

    1KB

    MD5

    710675f2a110f8be920ace0ba5c686ef

    SHA1

    eab864caba700c796c47be8c37be296ffc229d83

    SHA256

    fade3a192163341a351c75d089d64e05d4454b5a5a0f1336f5ad06c4723201a0

    SHA512

    27f7a05f15de6793ef599c656cc64ff8461b50566a83c8e031a302e87f43d285282086e5fd7e5c09ad057a1acc6d6b08a8e6beaac4bc28b00fe63c1eda497a01

  • C:\Users\Admin\AppData\Local\Temp\tmp82E6.tmp.exe

    Filesize

    78KB

    MD5

    16901a52d7972cf2735ed7f764fd85d4

    SHA1

    0b32edb265bd118d8c29b05023097965ddef849a

    SHA256

    399c5266735c317de2fb33f30a115a59f9af89626d69d715a3847bef9eaa6b0d

    SHA512

    82749f3960a9ec699b4132354f87511839dd45c55e302e132ad430aba6893e53d8141a0918309a41fdcea60f9aaed06d364c8f2d4e1f4d8925edafe0c862a55b

  • C:\Users\Admin\AppData\Local\Temp\vbc842D.tmp

    Filesize

    660B

    MD5

    0a348c132f8cea11e002c91764873be9

    SHA1

    fc1b5be17f205d3896cb588b43e51f4785518752

    SHA256

    09ec8245d8481c82bac44498c9f313c04eeaeaafd2b1b332bdc24df9631b7daf

    SHA512

    8b7c5cd37e87ecf2491c7fc0b40331e2c2f7be7d0dfb91c9aeb171c616a1868478d5a92f36ad866f1b1d95c52dee66aebb6158616ad1a6baf404b688165714be

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8fd8e054ba10661e530e54511658ac20

    SHA1

    72911622012ddf68f95c1e1424894ecb4442e6fd

    SHA256

    822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

    SHA512

    c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

  • memory/2100-0-0x00000000749F1000-0x00000000749F2000-memory.dmp

    Filesize

    4KB

  • memory/2100-1-0x00000000749F0000-0x0000000074F9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2100-2-0x00000000749F0000-0x0000000074F9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2100-23-0x00000000749F0000-0x0000000074F9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2108-8-0x00000000749F0000-0x0000000074F9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2108-18-0x00000000749F0000-0x0000000074F9B000-memory.dmp

    Filesize

    5.7MB