metamorpherrat | a566cbc819cf43d5877c692be055651d70e8c4bcd495d0a3031d60f0cebe332f

General

Target

fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe
Size

78KB
MD5

fd8ed11ffd5b198863d70e987ee098f3
SHA1

9a05d00c002e5b1c995071ad133fbb356eb5b032
SHA256

a566cbc819cf43d5877c692be055651d70e8c4bcd495d0a3031d60f0cebe332f
SHA512

e6475188467a12f100274066500f196454610782cb1b3543fd976d6ceac73113dce9880f96ec290935ec9b8928ac14d0b2a5e4676c863c11b711d96e0b4b6110
SSDEEP

1536:tPy5jSgpJywt04wbje37TazckwzW4UfSqRovPtoY0BQtC6B9/bmJ10Y:tPy5jSeJywQj2TLo4UJuXHhp9/aR

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2436	tmp7B98.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2436	tmp7B98.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7B98.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3916	fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe
Token: SeDebugPrivilege	2436	tmp7B98.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 3720	3916	fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe	82
PID 3916 wrote to memory of 3720	3916	fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe	82
PID 3916 wrote to memory of 3720	3916	fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe	82
PID 3720 wrote to memory of 3956	3720	vbc.exe	84
PID 3720 wrote to memory of 3956	3720	vbc.exe	84
PID 3720 wrote to memory of 3956	3720	vbc.exe	84
PID 3916 wrote to memory of 2436	3916	fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe	85
PID 3916 wrote to memory of 2436	3916	fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe	85
PID 3916 wrote to memory of 2436	3916	fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5vaztvaj.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CE1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF3F23081585447E4945B743FB25D8EC.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3956
- C:\Users\Admin\AppData\Local\Temp\tmp7B98.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7B98.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fd8ed11ffd5b198863d70e987ee098f3_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5vaztvaj.0.vb

Filesize
14KB

MD5
c8eba36bbddb46ba696be79f6a9ee155

SHA1
02e1164eaf86312f58116b540dfd0a7a384a5276

SHA256
a4ae97c3f17082ec0662ba81d1ee70f62ad2f895590cc76cfcbe1ea48a0ac6df

SHA512
1714f6533a7e77c9aa686c6515ebe82c0ef89fc7da7961fc659de133cb6decc3f7414d1f00eee018d44fca578fdaf8929e4b5ba8d2190015b95ab3cc1db73a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\5vaztvaj.cmdline

Filesize
266B

MD5
7d467f7ecf0fde792b23d4d372c2047d

SHA1
6b2f746b5dbc96065f3d0760500d66ac153e0711

SHA256
a2691cee8286567e029290a7fb3029bdd39e986848eb255db6f205988f724f54

SHA512
82a70b9eec012741e8c27f81690e9c86d644bee38f2acd1c77029de60ff8b66f4c2fb3f98f31442304c019bd93efde92d33430a070e4d9e77729b191f3ed71ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7CE1.tmp

Filesize
1KB

MD5
5e8aaac982b553f7af33ef077aa99110

SHA1
e22ca2354783149ce46153fe73f9691ee0e9caa2

SHA256
6f10498a6e2b865a5a645c07cc886062408d73b9548eab309bde7eabdad38c5d

SHA512
80e62f267288f29d2eebad1f54d1f4541530fafd741933350fa54ec6cae285b08f1adbeb9932ce92ba805253ef09bfaf38819bf22683d2fd722aec594b16d965

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7B98.tmp.exe

Filesize
78KB

MD5
72bba497c15b10070cfd3011265fcbac

SHA1
e37bcb8934ccb1704262bacda6be919fdcb9d5fb

SHA256
7074cff5d1373b6ce19f37d8a734f83d203330dade532aab5421b9bbe5f5a0fb

SHA512
7ceaad9713e319db6e2723ef55397c687259fa312528d03baf3b46df5a3784a8f892e7fb45cbbfe74419e5eebc599cd55bd5b3c009042bc89a810deb03d14104

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF3F23081585447E4945B743FB25D8EC.TMP

Filesize
660B

MD5
16c49fc0b4700681776e44c1a74ca5f1

SHA1
1154099f018b20ad8f5ba807f868dc2dbcc8838a

SHA256
28ae05355216e30efcdba8ec206cebe1042b012f733d1949451d483055f887a4

SHA512
6fd4ea316b4813c3e7c54116a7aa5e2916240eedea7d8c79e3b71a27d7ee2d18457272fcf402805b1ebb012099fdd9b048781f807bd531efe9d786fc7a890a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
memory/2436-23-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/2436-24-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/2436-25-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/2436-26-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/2436-27-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/3720-9-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/3720-18-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/3916-0-0x0000000074EB2000-0x0000000074EB3000-memory.dmp

Filesize
4KB

Download
memory/3916-1-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/3916-22-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/3916-2-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing