metamorpherrat | a566cbc819cf43d5877c692be055651d70e8c4bcd495d0a3031d60f0cebe332f

General

Target

fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe
Size

78KB
MD5

fd8ed11ffd5b198863d70e987ee098f3
SHA1

9a05d00c002e5b1c995071ad133fbb356eb5b032
SHA256

a566cbc819cf43d5877c692be055651d70e8c4bcd495d0a3031d60f0cebe332f
SHA512

e6475188467a12f100274066500f196454610782cb1b3543fd976d6ceac73113dce9880f96ec290935ec9b8928ac14d0b2a5e4676c863c11b711d96e0b4b6110
SSDEEP

1536:tPy5jSgpJywt04wbje37TazckwzW4UfSqRovPtoY0BQtC6B9/bmJ10Y:tPy5jSeJywQj2TLo4UJuXHhp9/aR

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2932	tmp5B79.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2808	fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe
2808	fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5B79.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2920	2808	fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe	30
PID 2808 wrote to memory of 2920	2808	fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe	30
PID 2808 wrote to memory of 2920	2808	fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe	30
PID 2808 wrote to memory of 2920	2808	fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe	30
PID 2920 wrote to memory of 2828	2920	vbc.exe	32
PID 2920 wrote to memory of 2828	2920	vbc.exe	32
PID 2920 wrote to memory of 2828	2920	vbc.exe	32
PID 2920 wrote to memory of 2828	2920	vbc.exe	32
PID 2808 wrote to memory of 2932	2808	fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe	33
PID 2808 wrote to memory of 2932	2808	fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe	33
PID 2808 wrote to memory of 2932	2808	fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe	33
PID 2808 wrote to memory of 2932	2808	fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qp3egbur.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E47.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5E46.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828
- C:\Users\Admin\AppData\Local\Temp\tmp5B79.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5B79.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5E47.tmp

Filesize
1KB

MD5
ae56612ef874f4a89d066272e07d309d

SHA1
6394666141c0ed4156f4349afcc8c9a57a020e2a

SHA256
7e8464cd13188360a48d69bf8fa08ae77c38602161aa5159530bb0b239af6682

SHA512
afb89c41306743149b8d8e4686b9a2ccd1bab4afdbb080b15c23b7d28250910c2179b4f949f3636a2c0538b4da0fcd27c23dc970164b39de0957439b8aabef1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qp3egbur.0.vb

Filesize
14KB

MD5
6f7af345538a6d98fe6bf42c0e56d2c5

SHA1
2badbe6b6fcb5f327aa4c9407a497a0f0751217f

SHA256
21734d05319f7cfd2cdbf5b48c6aac19ad24a2ae07e1221de91fa0a58c57aa49

SHA512
089b03a491a4ea480f3f614d318d7364e37b6333c82f708f4f61aa9e19dde06a34d89ad8e338405b3050631f06567641a534604c3e1a0c4e0f291bf1d7102a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qp3egbur.cmdline

Filesize
266B

MD5
fa66b3e8efa357e56aa929b4441de397

SHA1
41fafa8dbffecd2f89f2b57bea0362652c7d6577

SHA256
327cbbf7419846d20d4f35ef031f2420b66bf16884b7ed2c2a7a4a8eeed0d658

SHA512
7f58eceb301062f1998d94af6bd64cc9619495713ff857b35cb8d4228e7f60d20ec05803c5ae66fc1c133ac11d21c1fa8783fadf553db21fe84a516474788ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5B79.tmp.exe

Filesize
78KB

MD5
6b1a191791919a7a7416bade834d3cb3

SHA1
dd8888b99dbe1f92e77eb4924cd57b824912fb2a

SHA256
d48c15880a8a23e78601fcc734c5413875f95dfcafeb15d29de90e982a8f1a97

SHA512
15ed81e04dfb87f52a1bab596dff8d23d477f5a99178b7bcb3ff44d75b0c0baa8369e34437e89d54a9475cca826f05bbe814b7852d88272e31a1baf647be3d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5E46.tmp

Filesize
660B

MD5
3b946f308feecd8cdc5e0aaa8be3696d

SHA1
f821fa8489c0aa5461191be60c437e29aa17f28b

SHA256
9c62e48ec4243f5b58cdf9ca846bfaf4cef5cfce412af5fb37d396983d7b3361

SHA512
9fada28af8d4caea1a8faa909746ef9aa18e98f3ca31ad9af8cad0c523e2ed4a8aa693029f7e7ec95f18ede0463e3235fc75fd389435b22064d505bfe2176f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
memory/2808-0-0x0000000074C01000-0x0000000074C02000-memory.dmp

Filesize
4KB

Download
memory/2808-1-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2808-2-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2808-24-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2920-8-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2920-18-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing