hiverat | 9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1

General

Target

9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
Size

304KB
MD5

9ba758b08ecfb820c6da64d7f954cbed
SHA1

1c3739294d3a6fa957d007098854e308c88e717d
SHA256

9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1
SHA512

359f44fb16b00916ff16f3a5c8a71d493f1a030beca9c1b848e3885ad8aab00d15f7c77afea6d6375eafc30fa0e7914a9f6b2fe1ce6be0bc83e4819f1a88b9c6
SSDEEP

6144:FFxNzzXzFuk9j/iXLs7dKW6PotJ7DNYx1EgOrHDMnSr:HzzDokBULs7dbQOV7RrHr

Score

10^/10

hiverat rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/2892-2-0x00000000021E0000-0x000000000222A000-memory.dmp	beds_protector

HiveRAT payload 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2904-11-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2904-16-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2904-13-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2904-12-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2904-18-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2904-20-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2904-38-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2904-48-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2904-46-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2904-44-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2904-30-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2904-28-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2904-26-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/2904-24-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Drops startup file 2 IoCs

Processes:

9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updates_.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updates_.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

description	pid	process	target process
PID 2892 set thread context of 2904	2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2484 2904 WerFault.exe 9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

pid	pid_target	process	target process
2484	2904	WerFault.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

pid	process
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
Token: SeDebugPrivilege	2904	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

description	pid	process	target process
PID 2892 wrote to memory of 2904	2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
PID 2892 wrote to memory of 2904	2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
PID 2892 wrote to memory of 2904	2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
PID 2892 wrote to memory of 2904	2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
PID 2892 wrote to memory of 2904	2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
PID 2892 wrote to memory of 2904	2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
PID 2892 wrote to memory of 2904	2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
PID 2892 wrote to memory of 2904	2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
PID 2892 wrote to memory of 2904	2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
PID 2892 wrote to memory of 2904	2892	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
PID 2904 wrote to memory of 2484	2904	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	WerFault.exe
PID 2904 wrote to memory of 2484	2904	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	WerFault.exe
PID 2904 wrote to memory of 2484	2904	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	WerFault.exe
PID 2904 wrote to memory of 2484	2904	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 552
    3⤵
    - Program crash
    PID:2484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2892-0-0x000000007460E000-0x000000007460F000-memory.dmp

Filesize
4KB

Download
memory/2892-1-0x0000000000380000-0x00000000003D0000-memory.dmp

Filesize
320KB

Download
memory/2892-2-0x00000000021E0000-0x000000000222A000-memory.dmp

Filesize
296KB

Download
memory/2892-3-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2892-4-0x000000007460E000-0x000000007460F000-memory.dmp

Filesize
4KB

Download
memory/2892-5-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2892-7-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2892-22-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2904-13-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-9-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-16-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2904-10-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-12-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-18-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-20-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-21-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2904-11-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-38-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-48-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-46-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-44-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-30-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-28-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-26-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-24-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2904-61-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads