hiverat | 9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1

General

Target

9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
Size

304KB
MD5

9ba758b08ecfb820c6da64d7f954cbed
SHA1

1c3739294d3a6fa957d007098854e308c88e717d
SHA256

9f8c3442cf2cc4b6fb9985353de632dd785d38c05a53b497f0d526ac7c3c1ee1
SHA512

359f44fb16b00916ff16f3a5c8a71d493f1a030beca9c1b848e3885ad8aab00d15f7c77afea6d6375eafc30fa0e7914a9f6b2fe1ce6be0bc83e4819f1a88b9c6
SSDEEP

6144:FFxNzzXzFuk9j/iXLs7dKW6PotJ7DNYx1EgOrHDMnSr:HzzDokBULs7dbQOV7RrHr

Score

10^/10

hiverat rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral2/memory/3996-4-0x0000000005900000-0x000000000594A000-memory.dmp	beds_protector

HiveRAT payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3976-12-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3976-14-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3976-37-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3976-41-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3976-39-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3976-31-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3976-23-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3976-21-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3976-19-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3976-17-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Drops startup file 2 IoCs

Processes:

9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updates_.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updates_.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

description	pid	process	target process
PID 3996 set thread context of 3976	3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3664 3976 WerFault.exe 9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

pid	pid_target	process	target process
3664	3976	WerFault.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

pid	process
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
Token: SeDebugPrivilege	3976	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

description	pid	process	target process
PID 3996 wrote to memory of 3976	3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
PID 3996 wrote to memory of 3976	3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
PID 3996 wrote to memory of 3976	3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
PID 3996 wrote to memory of 3976	3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
PID 3996 wrote to memory of 3976	3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
PID 3996 wrote to memory of 3976	3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
PID 3996 wrote to memory of 3976	3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
PID 3996 wrote to memory of 3976	3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
PID 3996 wrote to memory of 3976	3996	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe	9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Local\Temp\9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\9ba758b08ecfb820c6da64d7f954cbed_JaffaCakes118.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 780
    3⤵
    - Program crash
    PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3976 -ip 3976
1⤵
PID:1380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3976-21-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3976-41-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3976-12-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3976-14-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3976-17-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3976-19-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3976-23-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3976-31-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3976-39-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3976-15-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/3976-56-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/3976-37-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3996-6-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

Filesize
4KB

Download
memory/3996-54-0x0000000005E30000-0x0000000005E3A000-memory.dmp

Filesize
40KB

Download
memory/3996-10-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/3996-8-0x0000000005D90000-0x0000000005E2C000-memory.dmp

Filesize
624KB

Download
memory/3996-7-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/3996-1-0x0000000000E00000-0x0000000000E50000-memory.dmp

Filesize
320KB

Download
memory/3996-0-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

Filesize
4KB

Download
memory/3996-5-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/3996-4-0x0000000005900000-0x000000000594A000-memory.dmp

Filesize
296KB

Download
memory/3996-3-0x00000000057E0000-0x0000000005872000-memory.dmp

Filesize
584KB

Download
memory/3996-55-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/3996-2-0x0000000005E40000-0x00000000063E4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads