metamorpherrat | b36fd8d11afa644327c9f80608f9b426aea128734f25ea08e310cce231927999

General

Target

JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe
Size

121KB
MD5

b0976ba610b5d7160f9ead39bb28cd5c
SHA1

0230c03b749e42bb489c3336f077961aa72458ce
SHA256

b36fd8d11afa644327c9f80608f9b426aea128734f25ea08e310cce231927999
SHA512

0f12f342b0cdfc146b63e6a1b30eb3c4e1770204dcbaa5f4965e8573aa7cce4ad934f4722d6a2cb279b5746b99f422e1e09b8814e628bc65cb360af7efc8c74f
SSDEEP

3072:vLgpuOqXeZcbmFMoSj5YUUQaem3DXw6UoambuFfJsWE6STeU5VrMxCi18iRRgVTD:GzgvoKoTq/4hrqUfy6+N9TUeAXqMW

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Metamorpherrat family
metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe

Deletes itself 1 IoCs

pid	Process
5068	tmpA633.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5068	tmpA633.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\shfusion = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.Build.Tasks.exe\""	tmpA633.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA633.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4692	JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe
Token: SeDebugPrivilege	5068	tmpA633.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 3464	4692	JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe	86
PID 4692 wrote to memory of 3464	4692	JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe	86
PID 4692 wrote to memory of 3464	4692	JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe	86
PID 3464 wrote to memory of 3120	3464	vbc.exe	89
PID 3464 wrote to memory of 3120	3464	vbc.exe	89
PID 3464 wrote to memory of 3120	3464	vbc.exe	89
PID 4692 wrote to memory of 5068	4692	JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe	90
PID 4692 wrote to memory of 5068	4692	JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe	90
PID 4692 wrote to memory of 5068	4692	JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h_w7m3og.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA73C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F94411062F94F0BA922972886B17FF8.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3120
- C:\Users\Admin\AppData\Local\Temp\tmpA633.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA633.tmp.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b0976ba610b5d7160f9ead39bb28cd5c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA73C.tmp

Filesize
1KB

MD5
47dc961555d5407d9daf401607da5d42

SHA1
8ebe290bf5962d5312864586a7d23eba9050999f

SHA256
732237150430f58c42fc9b008e940bc12e85503d3c1ad587ccb8c5817b15d738

SHA512
9c5c99d5e12afd01e54250fb3d084da795a9d65e3c21983e54a52504cb152b9b6b780f34d0a51ba0250b61475325ef8129f6900f2fc637b3d864f24c600a7d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\h_w7m3og.0.vb

Filesize
112KB

MD5
223fd274f30505a5b305954435c637c4

SHA1
35140e27cf454e8d0f963fac5571dca84ddc78c4

SHA256
ecccb2cdc76ad4a93e296f9b2ff4a87d051b04010035efd0da7186f026556f94

SHA512
01f825c20e84a8cabf156f7225c308f3358eae011d1ecb26fe0d94cddeab53ee423bdcb79234ad72aaac8c3ef07ecaa5cf46f7a71484070c77f1d96ed9502c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\h_w7m3og.cmdline

Filesize
266B

MD5
64f002443f5067ef97a33711d107743c

SHA1
ca43e995e1cdd1ee3267f5619d9726e67ae76561

SHA256
88c9a63181bfd498107e2d16e4f6c6c6d5274501380368b79e9154f3492409c4

SHA512
961113ab30c4cfa4ff9e5cbb829c8287fcb3be05eb3327ffecd9dc8493b7327869ddd1f5a13de23a3ee099a0c3ccbec39a2e2860565dfe2f163ac0ad5c1a3702

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA633.tmp.exe

Filesize
111KB

MD5
593925b41bd073e680c9e0b41fcc413e

SHA1
7376f2aba195b490840dc5eed36e56f692703e87

SHA256
ffd666e6d52e988223a125275855b9e6993c66bb66c2573d0e38119e3f81f6d1

SHA512
579c679f9e8941eea2441da33c581895ab5ac78aa333bb3eddd29df4ecfab4ffe77b65e6003a6c4b8ef54175c1f85755ba7acca1ad6f4d46387f6587548a38f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6F94411062F94F0BA922972886B17FF8.TMP

Filesize
660B

MD5
9bcfe1f7b541308b4c3b81a8e2362f4a

SHA1
0c488e466e70ab4c23bd485e597e44a3a6030229

SHA256
a51a6cd17311020d9a9e59325fba77189cb7a9e4024ce78a1b91469de3fef1f3

SHA512
f4ddcb3b50d87a4035a09af1de61c332c53f41ec5d76d083544c90bc93a22585955107eaa6bdb6a449b18e31348003a4ad08f1faf808d8b7053944a1a0c9b8b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4c80c42245e58834c4efe9abfd093ada

SHA1
5b024109ba2f2cd0b5ad0813b2216722ec9a76e7

SHA256
7f141a2544e7b766215ada01e153448763f8b8e629437885ad90d39c0e1b67aa

SHA512
dd21ed3331d114f6ae4c39f1076c07d570eae0138fac6967c7de455a031f343c7dc5961dbc075231e2e7741a3ea0fc971e0d66945e5da70648275260ccb6c8e9

Download Submit
memory/3464-9-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/3464-18-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4692-0-0x0000000075522000-0x0000000075523000-memory.dmp

Filesize
4KB

Download
memory/4692-22-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4692-2-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/4692-1-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/5068-23-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/5068-25-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/5068-24-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/5068-26-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/5068-27-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/5068-28-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads