metamorpherrat | 5da30448000f33b57a10b1e51a9fefbc1bdb3a6fc4b8ef2bd8602cfc31e60427

General

Target

JaffaCakes118_9f93e13557168d7e27c0a204b0a7f6c7.exe
Size

78KB
MD5

9f93e13557168d7e27c0a204b0a7f6c7
SHA1

546ee81e300415bc56f26b07c9b170ec64eb0666
SHA256

5da30448000f33b57a10b1e51a9fefbc1bdb3a6fc4b8ef2bd8602cfc31e60427
SHA512

1644784deebfac76633ce874036144f55debb254b28966711c8486a294e6e37711da718c374e60d16edcadc0f2614748637adefd6260e788eb4708256e1c601d
SSDEEP

1536:zCHF3M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtq9/e1YP:zCHF83xSyRxvY3md+dWWZyq9/N

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_9f93e13557168d7e27c0a204b0a7f6c7.exe

Executes dropped EXE 1 IoCs

pid	Process
1432	tmp922E.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp922E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9f93e13557168d7e27c0a204b0a7f6c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp922E.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	JaffaCakes118_9f93e13557168d7e27c0a204b0a7f6c7.exe
Token: SeDebugPrivilege	1432	tmp922E.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 3032	2192	JaffaCakes118_9f93e13557168d7e27c0a204b0a7f6c7.exe	83
PID 2192 wrote to memory of 3032	2192	JaffaCakes118_9f93e13557168d7e27c0a204b0a7f6c7.exe	83
PID 2192 wrote to memory of 3032	2192	JaffaCakes118_9f93e13557168d7e27c0a204b0a7f6c7.exe	83
PID 3032 wrote to memory of 4656	3032	vbc.exe	85
PID 3032 wrote to memory of 4656	3032	vbc.exe	85
PID 3032 wrote to memory of 4656	3032	vbc.exe	85
PID 2192 wrote to memory of 1432	2192	JaffaCakes118_9f93e13557168d7e27c0a204b0a7f6c7.exe	86
PID 2192 wrote to memory of 1432	2192	JaffaCakes118_9f93e13557168d7e27c0a204b0a7f6c7.exe	86
PID 2192 wrote to memory of 1432	2192	JaffaCakes118_9f93e13557168d7e27c0a204b0a7f6c7.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f93e13557168d7e27c0a204b0a7f6c7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f93e13557168d7e27c0a204b0a7f6c7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w_pg3uej.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES954B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc300E69D3884AB8BEB1193B9D89262F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4656
- C:\Users\Admin\AppData\Local\Temp\tmp922E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp922E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f93e13557168d7e27c0a204b0a7f6c7.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES954B.tmp

Filesize
1KB

MD5
d331fef573e7addf6ec48b95daaf1913

SHA1
92c17646abce14dec4f59816cb6cd0ec0c13b923

SHA256
073ef9bcf5f551f0a44ec44e699fc8dac3859d58340404c9283d1f757323de7f

SHA512
7c95227ce77d52ad487049fd0c873593e48eb0d6adcd2b7bbbd5963930bc1986244b12833c7f88acde10bcce3f085fa3b7f29408641c73da36ce0fe8c55674ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp922E.tmp.exe

Filesize
78KB

MD5
fc5db5a68dd264cbdecbbfd4ed823f50

SHA1
2f6f54d8a8c4429f31ecc27bdfc6fc5ea39a8bac

SHA256
6895c36cfa24edf516bdfc0e68210494fe1e7ab0fa1a7a75b0b414fb9e7c2bd4

SHA512
d37080760935627e89c12d80c1eee65c3f250b9b98844120c039dfdb3e45510fecdbd9734be2b1a59930c71351e4c6617de6867d8a7a8decd3edb7dbc81b56e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc300E69D3884AB8BEB1193B9D89262F.TMP

Filesize
660B

MD5
af1339aba1a62c81e5d18a016ba2a6e5

SHA1
9b54f69baf18eb63642a7e936e9da534bc862dcb

SHA256
4e65741b218f249c58d0ff863ba5f4721aa0af1df3bdc57eb2c166847fbc1c19

SHA512
c687043b89858109b3fbe15e6ce0d6802a2a9a3637823c9231a7388936a1e0b4441c7864d86368e2a5369c69f626e8ed6f6535da9c92d0e51ffb007cec615a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\w_pg3uej.0.vb

Filesize
15KB

MD5
bae2a4027415c2e48984b351fd0062a1

SHA1
e361750d8fda172866fda95b4bacd9d97abaeb00

SHA256
61ec6a4f8c41b7b98c83d6e1cde3ad7ce150bab6008f3367411c89ab138bc93b

SHA512
6d5f03942b032b22a26217051b8ad84a017b8ac4dae5c180b6e55e8ee22e5bf738bca5aa8c1f22e047f95356aefc5085c997d416bc6f305b2fd029d1d15b8a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\w_pg3uej.cmdline

Filesize
266B

MD5
f6d3e300514f25ce659433336917b1dd

SHA1
79a86b9f73c95f0e95931438bb8687d33ef8dd59

SHA256
c0ed7b515c7dd086a66c097809ed4cde0c7015d1645e636ab26fdfe7dc705fbc

SHA512
1e498b97b419455f3c77974ba1b9910b402d92706bd6e346f91d8ba7d5405ffcbc28ca5e20be8f2236818c1ce70063e79532ff98880487e216ff326e244c6a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1432-28-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/1432-25-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/1432-31-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/1432-30-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/1432-29-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/1432-27-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/1432-23-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/1432-24-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/2192-1-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/2192-22-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/2192-0-0x0000000075272000-0x0000000075273000-memory.dmp

Filesize
4KB

Download
memory/2192-2-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/3032-8-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/3032-18-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads