metamorpherrat | b36fd8d11afa644327c9f80608f9b426aea128734f25ea08e310cce231927999

General

Target

JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe
Size

121KB
MD5

b0976ba610b5d7160f9ead39bb28cd5c
SHA1

0230c03b749e42bb489c3336f077961aa72458ce
SHA256

b36fd8d11afa644327c9f80608f9b426aea128734f25ea08e310cce231927999
SHA512

0f12f342b0cdfc146b63e6a1b30eb3c4e1770204dcbaa5f4965e8573aa7cce4ad934f4722d6a2cb279b5746b99f422e1e09b8814e628bc65cb360af7efc8c74f
SSDEEP

3072:vLgpuOqXeZcbmFMoSj5YUUQaem3DXw6UoambuFfJsWE6STeU5VrMxCi18iRRgVTD:GzgvoKoTq/4hrqUfy6+N9TUeAXqMW

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2776	tmpE447.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1880	JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe
1880	JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\shfusion = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.Build.Tasks.exe\""	tmpE447.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE447.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1880	JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe
Token: SeDebugPrivilege	2776	tmpE447.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 2264	1880	JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe	31
PID 1880 wrote to memory of 2264	1880	JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe	31
PID 1880 wrote to memory of 2264	1880	JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe	31
PID 1880 wrote to memory of 2264	1880	JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe	31
PID 2264 wrote to memory of 2356	2264	vbc.exe	33
PID 2264 wrote to memory of 2356	2264	vbc.exe	33
PID 2264 wrote to memory of 2356	2264	vbc.exe	33
PID 2264 wrote to memory of 2356	2264	vbc.exe	33
PID 1880 wrote to memory of 2776	1880	JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe	34
PID 1880 wrote to memory of 2776	1880	JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe	34
PID 1880 wrote to memory of 2776	1880	JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe	34
PID 1880 wrote to memory of 2776	1880	JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xovxcdi5.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE522.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE521.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2356
- C:\Users\Admin\AppData\Local\Temp\tmpE447.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE447.tmp.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE522.tmp

Filesize
1KB

MD5
081109d86ba08362f934c3a2a55f8e02

SHA1
c4be83cb1f13f58f9f43b04ff79434d3e51b6604

SHA256
5e2b45a5261f8176435279a268a61591833a2d3e39ce066bb011847b6ee05eca

SHA512
67eaf2f74b055c4623c60bbc3070f8f2a1fe418898ef7c1d8f76c92148f6dec93b73ffa5a517f3b9fac60d5991db25c5ccb7beb6782f182f302a0b52c8d9b7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE447.tmp.exe

Filesize
93KB

MD5
0408d01ac0487be605cf467b06807e71

SHA1
951a0de73bf86620bbc7827a6985b7864b15cb92

SHA256
a77d59054680f0b796c4c8510558e625791f7a8927d66010425edf5c034c6e2c

SHA512
269c2ef21053264f06457a6b3a56d39f8200d4cb257400e1be40cf835012ac26dced66902713f1398c5835faeee38adff6bc3185334f76d6490f626ef70c819b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE521.tmp

Filesize
660B

MD5
f57a64241fd1b2cb4ae70fa69e6cdce6

SHA1
a27052d36683d9dc6046eec4452affb348c19187

SHA256
2c2f9c3b0ff118fac2d5ce04ce2761b542fa452ac059067768f5512b91ba238b

SHA512
3c83e48030876431ba179cc705e73996a60f057c650f783383ebee82b79e8b6ec69ac21bada842f604ae666ba92cd63a025b4925597174beb92f5ebd10ff7f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\xovxcdi5.0.vb

Filesize
54KB

MD5
495587cbe3ff8a9aecea547aff1dc272

SHA1
6c206ceeff0c37b50107acef7568e26d4c455be3

SHA256
499fe5e41985df6c028c37a25d6f3c74f51286bb6e7b7c316be612131f568763

SHA512
4e3e971b60ba8bddd2769ef904bde69f5d881ec24ab6a2f85a3c42af36caad0024702e6de189b7a3556f3eb73f86014efe75c1c71926f14ecc6a0e1a0079c401

Download Submit
C:\Users\Admin\AppData\Local\Temp\xovxcdi5.cmdline

Filesize
266B

MD5
0d99912db65aa51e1203e25516171b81

SHA1
f2996cefccd028b101f266ee4696698b15370bda

SHA256
b0f90dd8901a9f49f5f04ff72aab26372f1cf93ba09ce4be7d357dce2d6d67da

SHA512
adfc516149cd081141b42a0a7cd6d2d630f710eb0f65864cac0dcb075e01620f1ab6886fc69208fc61789243c0c75fe8cf1f4457eef245dddc2b6c5a6babbb37

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4c80c42245e58834c4efe9abfd093ada

SHA1
5b024109ba2f2cd0b5ad0813b2216722ec9a76e7

SHA256
7f141a2544e7b766215ada01e153448763f8b8e629437885ad90d39c0e1b67aa

SHA512
dd21ed3331d114f6ae4c39f1076c07d570eae0138fac6967c7de455a031f343c7dc5961dbc075231e2e7741a3ea0fc971e0d66945e5da70648275260ccb6c8e9

Download Submit
memory/1880-0-0x0000000074571000-0x0000000074572000-memory.dmp

Filesize
4KB

Download
memory/1880-1-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-2-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-24-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2264-8-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2264-18-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads