metamorpherrat | fce30a2de7a9b086334c8ca83c7f1a6899c9398441acb19e95d07b96a8fa6541

General

Target

JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe
Size

80KB
MD5

bfc5391497c5871690e47d3648bbd5b1
SHA1

af86a8a22f659bd1327b77a9ba12b9ef07605e39
SHA256

fce30a2de7a9b086334c8ca83c7f1a6899c9398441acb19e95d07b96a8fa6541
SHA512

f2d958036e799ec069db09970e74a75818cd3f86010b8ba33166576f80e0bf6ff2ffc96a6e5ac35e3c4209251acfb422dd674c668392cd3317b8dfb10cd1a55c
SSDEEP

1536:0e58wXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtC67j9/O7q1Yu:0e58oSyRxvY3md+dWWZyDj9/Oo

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe

Deletes itself 1 IoCs

pid	Process
4680	tmp9A1D.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4680	tmp9A1D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp9A1D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9A1D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3076	JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe
Token: SeDebugPrivilege	4680	tmp9A1D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 2940	3076	JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe	82
PID 3076 wrote to memory of 2940	3076	JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe	82
PID 3076 wrote to memory of 2940	3076	JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe	82
PID 2940 wrote to memory of 920	2940	vbc.exe	84
PID 2940 wrote to memory of 920	2940	vbc.exe	84
PID 2940 wrote to memory of 920	2940	vbc.exe	84
PID 3076 wrote to memory of 4680	3076	JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe	85
PID 3076 wrote to memory of 4680	3076	JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe	85
PID 3076 wrote to memory of 4680	3076	JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wsafyp0n.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AD8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2FC8A5299C4719AB3252E7E84EE2B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:920
- C:\Users\Admin\AppData\Local\Temp\tmp9A1D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9A1D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfc5391497c5871690e47d3648bbd5b1.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9AD8.tmp

Filesize
1KB

MD5
584b903e198773d27010be8e9a02d583

SHA1
d0682dc1df1a2278765921bbd551747f98dc2484

SHA256
8c5370b1ea74e99f9f9e74482762b75784563fb710f31e2c1064401dcd2007ce

SHA512
a680f3855456f178aeb35b80f2ddbb1fb8385e986c648e668a8b0a9a93b7ee7eb8a3b91482d4f38a46494468e5c84e96fe02b6c09672045c756f5ad4a19e2d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A1D.tmp.exe

Filesize
78KB

MD5
43dd84969714f630a8a46747a17e461a

SHA1
c4f24b1a2b0c858e4366b43e7d407b6da6c772bd

SHA256
e5fe6052051b7c7b39563bcad5149025bc7b3bf498260ca52f58c785aae564c4

SHA512
d41b25c8c0baebe4321cdecdfadf80fe6c6f8350705379831f94a00e3196a95eec7210fc92382993d34e2687a2b15fcf9e01bcaf2ab48fa77038357514a092c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD2FC8A5299C4719AB3252E7E84EE2B.TMP

Filesize
660B

MD5
d1e57e6671cb306aea9b7c7e34933594

SHA1
6d56a45f12e2a328f6ad500f71c6a871e8610db4

SHA256
631d090efa69bbd564177e2da02b8219afbe3256c7e70df7261218377dcc255c

SHA512
521d24c62e59e4a6829a9ad5d5e5d3fef8a32f43239b3e576da56c155663ddaeb5274289c0f9cdae9b26a322e0f4017c4806ed942e28b39960f10eba9161028b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsafyp0n.0.vb

Filesize
14KB

MD5
27e470fdad75340ef14cc87a18fb224a

SHA1
8616cf234aaf6f112f3df6fbf381de5f579a8903

SHA256
07fe3912b053aa5febf2e026583a1feb074eead240fae80bd909a1b78267ed45

SHA512
f2a96161076c850846d893ea6d42325a21fd8e4b9c77799f53435b4fcf8f65c1336a3c17e88ca958e22608a5e5201b8bcd4aabe59f710aa29ad4f45b2154f722

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsafyp0n.cmdline

Filesize
266B

MD5
63575309807dd141c37c28f1925c715d

SHA1
147bcbdc21c120c1ffd05aacd6c61d54cdbe501b

SHA256
a96112a49ae2b5e4f0b7bdc75b0194df10d64dcbdbfd77f5106a874ffead88bb

SHA512
82f7259cc2381f7f7b6fb7de640883b9d00b05cbd06a64d431bb6fa7ba20e08ed1e506d0ebc6558161b627d2c5cfcc88022592a5da596e3ccae0c65840879b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2940-8-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/2940-18-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/3076-0-0x0000000074F12000-0x0000000074F13000-memory.dmp

Filesize
4KB

Download
memory/3076-2-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/3076-1-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/3076-22-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/4680-23-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/4680-24-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/4680-25-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/4680-27-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/4680-28-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/4680-29-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads