Analysis
-
max time kernel
140s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-12-2024 23:01
Static task
static1
Behavioral task
behavioral1
Sample
deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe
-
Size
78KB
-
MD5
deddb4c05d21ebfe287148692017b375
-
SHA1
fc5e251b39d49f7d93b024dac1cac07113b17ec9
-
SHA256
1a9ee379fa99ac78be460d500492e050d21965cd8f0575c4fb2fd2830278633c
-
SHA512
28645e2dd19be55f86153d31c0942f29b55ff6d8e6c972fab1f67caf9832bb095689f0c79fb6e6efb0192b7206f9dccc9e85bb10e38891ea5ec227b3a7a5b65c
-
SSDEEP
1536:15jSfXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96T9/+s12D:15jS/SyRxvhTzXPvCbW2Uo9/a
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Deletes itself 1 IoCs
pid Process 2500 tmp82E6.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2500 tmp82E6.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2100 deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe 2100 deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp82E6.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp82E6.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2100 deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe Token: SeDebugPrivilege 2500 tmp82E6.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2108 2100 deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe 30 PID 2100 wrote to memory of 2108 2100 deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe 30 PID 2100 wrote to memory of 2108 2100 deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe 30 PID 2100 wrote to memory of 2108 2100 deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe 30 PID 2108 wrote to memory of 1732 2108 vbc.exe 32 PID 2108 wrote to memory of 1732 2108 vbc.exe 32 PID 2108 wrote to memory of 1732 2108 vbc.exe 32 PID 2108 wrote to memory of 1732 2108 vbc.exe 32 PID 2100 wrote to memory of 2500 2100 deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe 33 PID 2100 wrote to memory of 2500 2100 deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe 33 PID 2100 wrote to memory of 2500 2100 deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe 33 PID 2100 wrote to memory of 2500 2100 deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7vcphv25.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES842E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc842D.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:1732
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp82E6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp82E6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\deddb4c05d21ebfe287148692017b375_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD53fefff7a57c0303a17ebefdd3dc4d58f
SHA10d69fccc9ac782e2f043401f86d9ddeb800e7ff4
SHA256b7d609c11934a0b1f8728384882a26734a48963c2f2ee00315edc256f20d4f69
SHA512cb826888fb1ebf40b40c04baeb66aa0de1a42940ec9967a868f9fa195d92fd4541d11f6adb93a4f8be954253f2b30448ce20cb47d6e153e175b16d8775bd46b9
-
Filesize
266B
MD51a41835929249c15a2c3a6f24818108d
SHA13c4233f304cc47eeecc5b38175125ac2ad66e7c4
SHA256f3da2c880781df97731f958e602f7ad2334de81f42756ae16f1a79a19ce9b022
SHA51298c380b4ed71353c786098c868dd70b284ec708c3307bac2956e30dbb12ba330a419196cd4c85d40b2e074410a64e807387dd06676e6c0970761eba092e965eb
-
Filesize
1KB
MD5710675f2a110f8be920ace0ba5c686ef
SHA1eab864caba700c796c47be8c37be296ffc229d83
SHA256fade3a192163341a351c75d089d64e05d4454b5a5a0f1336f5ad06c4723201a0
SHA51227f7a05f15de6793ef599c656cc64ff8461b50566a83c8e031a302e87f43d285282086e5fd7e5c09ad057a1acc6d6b08a8e6beaac4bc28b00fe63c1eda497a01
-
Filesize
78KB
MD516901a52d7972cf2735ed7f764fd85d4
SHA10b32edb265bd118d8c29b05023097965ddef849a
SHA256399c5266735c317de2fb33f30a115a59f9af89626d69d715a3847bef9eaa6b0d
SHA51282749f3960a9ec699b4132354f87511839dd45c55e302e132ad430aba6893e53d8141a0918309a41fdcea60f9aaed06d364c8f2d4e1f4d8925edafe0c862a55b
-
Filesize
660B
MD50a348c132f8cea11e002c91764873be9
SHA1fc1b5be17f205d3896cb588b43e51f4785518752
SHA25609ec8245d8481c82bac44498c9f313c04eeaeaafd2b1b332bdc24df9631b7daf
SHA5128b7c5cd37e87ecf2491c7fc0b40331e2c2f7be7d0dfb91c9aeb171c616a1868478d5a92f36ad866f1b1d95c52dee66aebb6158616ad1a6baf404b688165714be
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c