metamorpherrat | 787e232a020699637e461030d95bf6047c8e7fcad709fa5b05c4b8555c3a0d9e

General

Target

df0605eba67a433c0c54dbc57bf4a1ae_JaffaCakes118.exe
Size

78KB
MD5

df0605eba67a433c0c54dbc57bf4a1ae
SHA1

5fd04c5c193dff141f8226cfe394a6106f493786
SHA256

787e232a020699637e461030d95bf6047c8e7fcad709fa5b05c4b8555c3a0d9e
SHA512

75adb9572e1b62f8b6f989f9698e1324f5138a9dc77c2dbe33b2c16552a566c033fdef85668d63b56967936ba9b128243e279ced0342c6e46eb7e5b06cde3260
SSDEEP

1536:84tHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt+9/n1wS:84tHshASyRxvhTzXPvCbW2U+9/p

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	df0605eba67a433c0c54dbc57bf4a1ae_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
704	tmp80B9.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
704	tmp80B9.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp80B9.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp80B9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df0605eba67a433c0c54dbc57bf4a1ae_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5064	df0605eba67a433c0c54dbc57bf4a1ae_JaffaCakes118.exe
Token: SeDebugPrivilege	704	tmp80B9.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 1372	5064	df0605eba67a433c0c54dbc57bf4a1ae_JaffaCakes118.exe	83
PID 5064 wrote to memory of 1372	5064	df0605eba67a433c0c54dbc57bf4a1ae_JaffaCakes118.exe	83
PID 5064 wrote to memory of 1372	5064	df0605eba67a433c0c54dbc57bf4a1ae_JaffaCakes118.exe	83
PID 1372 wrote to memory of 3068	1372	vbc.exe	85
PID 1372 wrote to memory of 3068	1372	vbc.exe	85
PID 1372 wrote to memory of 3068	1372	vbc.exe	85
PID 5064 wrote to memory of 704	5064	df0605eba67a433c0c54dbc57bf4a1ae_JaffaCakes118.exe	86
PID 5064 wrote to memory of 704	5064	df0605eba67a433c0c54dbc57bf4a1ae_JaffaCakes118.exe	86
PID 5064 wrote to memory of 704	5064	df0605eba67a433c0c54dbc57bf4a1ae_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\df0605eba67a433c0c54dbc57bf4a1ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df0605eba67a433c0c54dbc57bf4a1ae_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wifkflvu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES825F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc99896595261D4759B9ADD8BD4D4ED1D1.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3068
- C:\Users\Admin\AppData\Local\Temp\tmp80B9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp80B9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\df0605eba67a433c0c54dbc57bf4a1ae_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES825F.tmp

Filesize
1KB

MD5
85e7d20f49b50bca8a5ecf8c9e707e7a

SHA1
d4b460b763ebac0f3d630b45dbf1cd1e59d10c49

SHA256
fe799099b6b90846cf06de36340600147c3704ff0b5420c79335f13e7e9d1323

SHA512
eeeddd7d03b2dfa884128551a96249b811461f7582d4b574fdf0d631a477a9641daec0c1d98f97cc17116c1dbd84a383a985c0bef4db7f7a9a6b1376cf75fc25

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp80B9.tmp.exe

Filesize
78KB

MD5
2bdbe12edcb5589eaee3ede38ef15804

SHA1
5d71373baf2d275008d0416a7572c656c87118a4

SHA256
ef6173fba1659e61ec1577ba4a96f10f3a9b7ad6f2f50376466bd5d085bb9c84

SHA512
a64c3d9e4d356c7b1e9e8bdc8fd246226621d6ee2b992456a7b20c3992dd0ca2009465d612cbd21e49ff56e9713fc9426f577a46136b17cec588c6ddf3008f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc99896595261D4759B9ADD8BD4D4ED1D1.TMP

Filesize
660B

MD5
98d3580f2f30cc588a6667d1a507108f

SHA1
0c5601672739ae8035a92163645de0eb21bb2db3

SHA256
3d2e85096c6f9ae9e63e09dd42bb040aa6f398166ca62dd5c7006e982b2d74dc

SHA512
870a850f565ec066185d8e8f8bf7d6072a8a03f31bff63fbeff057d05b83136636b9466e0fbe89579b4e4f94f50c4220ca7185d9a6c60291aeca219d48594cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wifkflvu.0.vb

Filesize
15KB

MD5
47119b1b2680aa149013cb11e8f70ef6

SHA1
06bf3f2a8fc83892d658636e44c001325f8d7fde

SHA256
60fca72c8e9fbff2947e556377545397b6818e8ad57ef2e3b451560f80230230

SHA512
022ddc16fe6bc469d985be5cc075942fc43a58b4de6eb807745a87d591204d603415c8ecd198f94c2af90b55ee055ff0ee447d709fa64e8d4fd37763e247ef71

Download Submit
C:\Users\Admin\AppData\Local\Temp\wifkflvu.cmdline

Filesize
266B

MD5
035bddaf3d8dddcecd1bf4afb516aa7c

SHA1
62402806a57fcb8e2751f80760a1221574337f4e

SHA256
17d12fa208724d4ab8dc2ce1fd733707cb1b223401be935777a849209c26ab94

SHA512
6f2572d7fefedb2bb773c21edee68c190773b320893bb75ef8b022a7c9ba2662c0986888d5958d3a80225b5683ca72aa2969f5d961b0fcf97a88d2078d92171e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/704-24-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/704-23-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/704-26-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/704-27-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/704-28-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/1372-8-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/1372-18-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/5064-2-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/5064-1-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/5064-22-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/5064-0-0x0000000075232000-0x0000000075233000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads