metamorpherrat | 81e6145cbc93443083f2398466f3a7d39c52dcac816b92b4619576ce531c0624

General

Target

JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe
Size

80KB
MD5

5da3837530dd6b1a9666ea002aef5238
SHA1

41893ba57e61f8b177775c4d8ff982a8ec73e94e
SHA256

81e6145cbc93443083f2398466f3a7d39c52dcac816b92b4619576ce531c0624
SHA512

666fd1978741d8b4d6360bf46d93e957af5931f1777021e75ed403a125d5d9d0123410b41c88329d4595c587b125a2e85e09ec5e0f5498651d690ff344f64cd4
SSDEEP

1536:9HFo6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLg39/CF1b:9HFo8dSE2EwR4uY41HyvYLg39/Cz

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe

Executes dropped EXE 1 IoCs

pid	Process
432	tmpF397.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpF397.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF397.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3916	JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe
Token: SeDebugPrivilege	432	tmpF397.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 400	3916	JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe	83
PID 3916 wrote to memory of 400	3916	JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe	83
PID 3916 wrote to memory of 400	3916	JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe	83
PID 400 wrote to memory of 544	400	vbc.exe	85
PID 400 wrote to memory of 544	400	vbc.exe	85
PID 400 wrote to memory of 544	400	vbc.exe	85
PID 3916 wrote to memory of 432	3916	JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe	86
PID 3916 wrote to memory of 432	3916	JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe	86
PID 3916 wrote to memory of 432	3916	JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oump31uz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0B5F4C2ED4C43549BA0A98CFEEFEA.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:544
- C:\Users\Admin\AppData\Local\Temp\tmpF397.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF397.tmp.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF4B0.tmp

Filesize
1KB

MD5
fdd0bf98b8369b0f1642d2874ee594a3

SHA1
73e625a9c010ddb89829e104ab6e6ec982e09746

SHA256
a94fa461328872913feb5c83f3b4c2627ad3ae8e158942faca8ecc6b8d7fa35c

SHA512
e4b8a471774bd273c108b644275bf6483be1badcbca6f9880b7943ac63c8dd7ac16644c330eaac6fab2fe9cfec44abe2364205a7c55ac09019ca4e7d02dcff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oump31uz.0.vb

Filesize
15KB

MD5
20fe44093bca19609754298e89eada83

SHA1
ae0620cfbc7cebb87f24690bb8a879bbdcf10939

SHA256
db142f91baaaf02d3a7b39a30090c576f00bc702b2f85995864ea953a8e45118

SHA512
f4e660452bc661c9e6a64f654964fd1329ca09099ff13e5dcc2be8d9ed7b62e4f8745239245cb6cc8cd8eccdc30dd17437a12a6f5c5e1aca44e1ed317bd17e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\oump31uz.cmdline

Filesize
266B

MD5
f8480542c77da1180f43a770a5575467

SHA1
709cc21b0c651c5c416cd1fdb3f23024cf073a85

SHA256
d57d709a21ccaa48d0dd5ace2a8b57b9b76020770c366b8e804cf098398e1c76

SHA512
12d21ecfe898b72ba6face26488b3ceb07b1f05be36679b6c8bf90b1b441ed11e5ce303530146f4d8520752d29b23932aaded3cfd1039dbbb72bcb61fc021643

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF397.tmp.exe

Filesize
78KB

MD5
df5b9cecb8c14b7eafa46143e45ae23b

SHA1
91e6cea3ce2a454383e683241a2ccd22a0e8cc67

SHA256
56f60e7339bcd125f3e294b68b6fbc61784d1f520f6c5fed613eb26148e5cc0c

SHA512
044f348b0cc7ce96aeaa74ee1c343f4fca1200a1ef49e72ba0b5cd41447a701905cea87df37407567caff884d89c0b4ea7c5bbe7d6cd2f945b790059a1610259

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF0B5F4C2ED4C43549BA0A98CFEEFEA.TMP

Filesize
660B

MD5
035a926bc35dce4caaa750ea2a516cbc

SHA1
4cd34a3775252e60ca6a714d85fea788eb2a8771

SHA256
9eb5763c515c06c6726c7d9a9424c7fad882a4a61ba22b35d9e42c52c510f693

SHA512
f08a2f1f257e533c6d56810b6b3cd8adef783c3d72da927aaad91aeca4b4dc34c5f9bc802e06b9055504a5ae00815a08ac6e25429908bf2a7867756296273761

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/400-9-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/400-18-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/432-23-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/432-24-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/432-26-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/432-27-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/432-28-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3916-2-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3916-0-0x0000000075432000-0x0000000075433000-memory.dmp

Filesize
4KB

Download
memory/3916-1-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/3916-22-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads