metamorpherrat | 136a03ad57c5c776e430e6b55dfbc54f511bbd10d7142167468ac7c540812e36

General

Target

JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe
Size

78KB
MD5

cef3bbd98000f0c86468875637bbcc59
SHA1

c66b941152a1f8552cc14a5e57f4ae385869a41f
SHA256

136a03ad57c5c776e430e6b55dfbc54f511bbd10d7142167468ac7c540812e36
SHA512

d0b9466d387c9e811fbdee474935b9dee1e2e90fea8680b7a2b90dd6ea59ecc850a451e7b687aa975e0e2018ec998d30faf3c9993298514eda2d788ff1491944
SSDEEP

1536:XHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt159/m1PQ:XHYn3xSyRxvY3md+dWWZy159//

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe

Deletes itself 1 IoCs

pid	Process
4060	tmpF7CD.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4060	tmpF7CD.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpF7CD.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF7CD.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe
Token: SeDebugPrivilege	4060	tmpF7CD.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 4596	3052	JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe	83
PID 3052 wrote to memory of 4596	3052	JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe	83
PID 3052 wrote to memory of 4596	3052	JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe	83
PID 4596 wrote to memory of 2272	4596	vbc.exe	85
PID 4596 wrote to memory of 2272	4596	vbc.exe	85
PID 4596 wrote to memory of 2272	4596	vbc.exe	85
PID 3052 wrote to memory of 4060	3052	JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe	86
PID 3052 wrote to memory of 4060	3052	JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe	86
PID 3052 wrote to memory of 4060	3052	JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dfoxh5ma.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA2F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7ACFA44B4F424E14B23C99357D36242A.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2272
- C:\Users\Admin\AppData\Local\Temp\tmpF7CD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF7CD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cef3bbd98000f0c86468875637bbcc59.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFA2F.tmp

Filesize
1KB

MD5
bddbdbc805590f8b35c9303909625012

SHA1
9315656c7e72100089070dd5933698c60b3705ea

SHA256
ce3ca0260566b438d1ef5a447847ce1904c8741bb4accf619fd53389502a1a69

SHA512
ff8ad342cc1f1f690192236233d7031a1523ca7d6f337bccea239ef85d9ed12680857038bbee450b6f0983a2963e443ad3864c41d5bde1b5f0c700eecc6ccc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfoxh5ma.0.vb

Filesize
15KB

MD5
24126f9bac1fcc04e7d5a1139bac7edf

SHA1
43b680329772911c59040be7a7fe0bf486053ed8

SHA256
5a2eca8b4b60a0e2247aa018db5c3a4bc9b80e81016e3e10ac8ba3912c781c90

SHA512
a1439329578f1a1e444ef5935bf7b2aac5dafa1be903ad7fdba5cd5e7a45eca61cbd42083f4466bf607d3013901bd9c6a1eae965e7335ad1285770ec2e045a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfoxh5ma.cmdline

Filesize
266B

MD5
638202de5c47993dc9834a462dbd08d4

SHA1
c74c3d7a9683f743f8963db4d895c6e78668b2bd

SHA256
7066b564403ae569b3f8f05f82af4b2463694f53a9728d85e37987a9ec5af024

SHA512
1adb0247319f81f9a2639bd3170f517422592fd0e4c6b7e003545f762b34e11f4700e45d538f6d0d878c99af305fbec68983a91d85fe97f809176524bc87ea6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF7CD.tmp.exe

Filesize
78KB

MD5
446efcb5384246385bc5422ff069b2d5

SHA1
8edc1639da4e7884b64150b2aa5ad2e80c86e605

SHA256
dbd26baef475af7489b5750403db01b5f39a8883fd0b2ba01aede3121ce30aeb

SHA512
cea2f0cd999bb18b958221515dc3a2291e1d936568e6061cd862cbf2f817646ee9d8ed68aa64c422d5c2abc57d57656ce86db2702977e903e179f16c0b67a248

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7ACFA44B4F424E14B23C99357D36242A.TMP

Filesize
660B

MD5
3cbd7e88efcae335cbe1edfd61fd851f

SHA1
0a210e6929d437c266881a2216ad90f52d8f1eab

SHA256
b87fce38f3b390eb54eca0109da16ebf0fae4913ec4b7b0c80a4b54bb9dfadc2

SHA512
a520e0e2a00b5aae2013bb09a68bee2b7c4add0dd39eaf7646ec29aa8d1170253a7aa12dad8daa7b6ba3ff0bae19cc3594f9a88742b6ff4a94cf899c206d6eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/3052-1-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/3052-2-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/3052-0-0x0000000075522000-0x0000000075523000-memory.dmp

Filesize
4KB

Download
memory/3052-21-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4060-27-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4060-23-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4060-25-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4060-24-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4060-28-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4060-29-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4060-30-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4060-31-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4596-18-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4596-9-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads