metamorpherrat | f187c2edd53b11f3b7e309267c3128866baa444d1c9d363c11fe725f19b47f5d

General

Target

eebe0a8ea893d6b546d8c4ee876e54ca_JaffaCakes118.exe
Size

78KB
MD5

eebe0a8ea893d6b546d8c4ee876e54ca
SHA1

784284c58b5c3ba6e3d36028aaa1f71b92c9af3d
SHA256

f187c2edd53b11f3b7e309267c3128866baa444d1c9d363c11fe725f19b47f5d
SHA512

6a1462e2c8c877186bd033b1f988796a689260bb7a51779da8cc54b0eac3cf96b52815d4b6de51ea549c59b72e6009c5e680916a70348b74997ef9e5711293f1
SSDEEP

1536:HSV5OXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN6g9/N1i0:HSV5GSyRxvhTzXPvCbW2UP9/P

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Deletes itself 1 IoCs

pid	Process
2248	tmpD0C7.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2248	tmpD0C7.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2284	eebe0a8ea893d6b546d8c4ee876e54ca_JaffaCakes118.exe
2284	eebe0a8ea893d6b546d8c4ee876e54ca_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpD0C7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eebe0a8ea893d6b546d8c4ee876e54ca_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD0C7.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2284	eebe0a8ea893d6b546d8c4ee876e54ca_JaffaCakes118.exe
Token: SeDebugPrivilege	2248	tmpD0C7.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2384	2284	eebe0a8ea893d6b546d8c4ee876e54ca_JaffaCakes118.exe	30
PID 2284 wrote to memory of 2384	2284	eebe0a8ea893d6b546d8c4ee876e54ca_JaffaCakes118.exe	30
PID 2284 wrote to memory of 2384	2284	eebe0a8ea893d6b546d8c4ee876e54ca_JaffaCakes118.exe	30
PID 2284 wrote to memory of 2384	2284	eebe0a8ea893d6b546d8c4ee876e54ca_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2192	2384	vbc.exe	32
PID 2384 wrote to memory of 2192	2384	vbc.exe	32
PID 2384 wrote to memory of 2192	2384	vbc.exe	32
PID 2384 wrote to memory of 2192	2384	vbc.exe	32
PID 2284 wrote to memory of 2248	2284	eebe0a8ea893d6b546d8c4ee876e54ca_JaffaCakes118.exe	33
PID 2284 wrote to memory of 2248	2284	eebe0a8ea893d6b546d8c4ee876e54ca_JaffaCakes118.exe	33
PID 2284 wrote to memory of 2248	2284	eebe0a8ea893d6b546d8c4ee876e54ca_JaffaCakes118.exe	33
PID 2284 wrote to memory of 2248	2284	eebe0a8ea893d6b546d8c4ee876e54ca_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\eebe0a8ea893d6b546d8c4ee876e54ca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eebe0a8ea893d6b546d8c4ee876e54ca_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\awkfsfck.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2BB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2BA.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2192
- C:\Users\Admin\AppData\Local\Temp\tmpD0C7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD0C7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eebe0a8ea893d6b546d8c4ee876e54ca_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD2BB.tmp

Filesize
1KB

MD5
a2721cfad75f7515bebf99606b26c0d0

SHA1
8f99d26a8bb3acfdca37786178a437f53e938618

SHA256
5832aec12b19b9e9aa8981049b34d79bfa0a71c45e77d5d82b347a778489a7fa

SHA512
192702aa2f14735bcc851ee8d5a2d98523892a4daee2960c2af5ee1d91dd9f03702049967ce3d9babbeaf8b8843e0e713dd3ed0615472949a8962e0e3be9164c

Download Submit
C:\Users\Admin\AppData\Local\Temp\awkfsfck.0.vb

Filesize
14KB

MD5
99fbc56dc458ec57d705222b7c45f62a

SHA1
a9757746560236028f664a6d5e86291cd4122e8f

SHA256
0def7b03213f51264b53e552859b7d7195c4ac5fdc452555c2b547fb2d820bf1

SHA512
b779d24b20322c37a3a6e39fed8c1024f8d71a198eb3774790f31a6c9e34353421b2344f26c9307134938afcc77131a9bd5c92fd4eb69566642d55d321b0620f

Download Submit
C:\Users\Admin\AppData\Local\Temp\awkfsfck.cmdline

Filesize
266B

MD5
172cb472241ebd1b79a8172e18f02e69

SHA1
61173af47b0123b18956d70b0d8c547579463f8d

SHA256
bf1ebe010920f2854cd638aba0bb9cc5f539c4396316a9b7149f740ab4ec2398

SHA512
5fd27c132a37d96015f77650b09d482d2fe4a86e096f74219ccb24834fbd7d2ae4d6cb9240d870447c76cb5154544d865feee8cbbc72cbe06b0fdce23c9a8d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD0C7.tmp.exe

Filesize
78KB

MD5
b290b83d041849f2d2b8e7e89a9d1ec1

SHA1
797fbfe25228b83f74b3fdd6af1b70c908c4dd09

SHA256
50c27b8534af4151c248ce9377b65c4420f8db62f213ec06383ae76214ce3b6f

SHA512
bcaba1d85ea6b78016c19136c7bbccd2c70a1a7a3013f8ba3c2c09737d9a3e814ad037910e1601150a36ebe5d62580853e7e420cc380e2d58171c24731ff3543

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD2BA.tmp

Filesize
660B

MD5
c768d80eb032f51aeda21b0c60c27d70

SHA1
69fa897ea695f61ff1d846a18634cd8f72a92ece

SHA256
049af5a5345386067f87231faa0c714e542d386d8ab440f4a46d670d11b02910

SHA512
a67d4ea7b3124f355ff1483a6f95dd1c67c018c4de9e8d49def91d0cadd388d65dd9543d0b5bb8a354b1d854f6454598f6f54c0f99d5a8e9dd257373a247efec

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2284-0-0x00000000747C1000-0x00000000747C2000-memory.dmp

Filesize
4KB

Download
memory/2284-1-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2284-3-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2284-24-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2384-8-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2384-18-0x00000000747C0000-0x0000000074D6B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads