hiverat | 199ebb6c60b2f902613473a7b67552e5f1c3848ed0b55b0bb3d618362369f387

General

Target

54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
Size

308KB
MD5

54a02706c15bf0dddb9d35bf58a526ba
SHA1

7d2001110e9d32c66306c4269ef272dc75b3da0b
SHA256

199ebb6c60b2f902613473a7b67552e5f1c3848ed0b55b0bb3d618362369f387
SHA512

2ed63cd8ea52a2a084caba9f883cf926c71a8b097fc5e55977dcd3b62a5e26369df28a68f96e21e29e60a83affba6085c8e968a6fa6a9afc5c7c2dfe0471f25f
SSDEEP

6144:zOGTzUbKW5q+UwdFHFi2i28uW3CwbsHZztFm3z:zOUE7hFvfMbazTm3z

Score

10^/10

hiverat rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral2/memory/116-4-0x0000000005570000-0x00000000055BA000-memory.dmp	beds_protector

HiveRAT payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3212-12-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3212-14-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3212-23-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3212-21-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3212-42-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3212-40-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3212-32-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3212-19-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3212-38-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3212-17-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Drops startup file 2 IoCs

Processes:

54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe

description	pid	Process	procid_target
PID 116 set thread context of 3212	116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe	97

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
760	3212	WerFault.exe	97

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe

pid	Process
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
Token: SeDebugPrivilege	3212	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe

description	pid	Process	procid_target
PID 116 wrote to memory of 3020	116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe	96
PID 116 wrote to memory of 3020	116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe	96
PID 116 wrote to memory of 3020	116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe	96
PID 116 wrote to memory of 3212	116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe	97
PID 116 wrote to memory of 3212	116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe	97
PID 116 wrote to memory of 3212	116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe	97
PID 116 wrote to memory of 3212	116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe	97
PID 116 wrote to memory of 3212	116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe	97
PID 116 wrote to memory of 3212	116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe	97
PID 116 wrote to memory of 3212	116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe	97
PID 116 wrote to memory of 3212	116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe	97
PID 116 wrote to memory of 3212	116	54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe	97

C:\Users\Admin\AppData\Local\Temp\54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116
- C:\Users\Admin\AppData\Local\Temp\54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe"
  2⤵
  PID:3020
- C:\Users\Admin\AppData\Local\Temp\54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\54a02706c15bf0dddb9d35bf58a526ba_JaffaCakes118.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 784
    3⤵
    - Program crash
    PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3212 -ip 3212
1⤵
PID:2888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/116-29-0x0000000005AD0000-0x0000000005ADA000-memory.dmp

Filesize
40KB

Download
memory/116-55-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/116-2-0x0000000005B20000-0x00000000060C4000-memory.dmp

Filesize
5.6MB

Download
memory/116-3-0x00000000054A0000-0x0000000005532000-memory.dmp

Filesize
584KB

Download
memory/116-4-0x0000000005570000-0x00000000055BA000-memory.dmp

Filesize
296KB

Download
memory/116-5-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/116-6-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/116-7-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/116-8-0x0000000005A00000-0x0000000005A9C000-memory.dmp

Filesize
624KB

Download
memory/116-10-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/116-0-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/116-1-0x0000000000BD0000-0x0000000000C22000-memory.dmp

Filesize
328KB

Download
memory/3212-42-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3212-21-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3212-23-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3212-40-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3212-17-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3212-32-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3212-56-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/3212-19-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3212-38-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3212-14-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3212-15-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/3212-12-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads