imminent | 53a96e66d55b55c3da544f192de6ab47d3194ad878d75c9d820b83566703c8d9

General

Target

0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe
Size

473KB
MD5

0239df7d47b8002859f89f32d57a1192
SHA1

fb32675eb631aaee30a0c64df192e3230451409e
SHA256

53a96e66d55b55c3da544f192de6ab47d3194ad878d75c9d820b83566703c8d9
SHA512

c67138045eec71164f5f79f3244a7576963ef1b19270870d7a98a2c9342165f65670a17327c6a1754b6665765950a75a9c1ebf708af3eed09ddf8e47b4fbba8c
SSDEEP

6144:Iz++FoyEVD3EVDz/u3rurpBQthhdHpt348LFDsiZ12aYkPSMAbuybLBhAeqSPOnu:IZG64uT4Hpto6Qo1XPYCAGnCgej

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qYbNJF.url	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2888 set thread context of 2612	2888	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2888	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe
2888	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2612	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe
Token: SeDebugPrivilege	2612	RegAsm.exe
Token: 33	2612	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2612	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2612	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2680	2888	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	28
PID 2888 wrote to memory of 2680	2888	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	28
PID 2888 wrote to memory of 2680	2888	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	28
PID 2888 wrote to memory of 2680	2888	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	28
PID 2680 wrote to memory of 2472	2680	csc.exe	30
PID 2680 wrote to memory of 2472	2680	csc.exe	30
PID 2680 wrote to memory of 2472	2680	csc.exe	30
PID 2680 wrote to memory of 2472	2680	csc.exe	30
PID 2888 wrote to memory of 2612	2888	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	31
PID 2888 wrote to memory of 2612	2888	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	31
PID 2888 wrote to memory of 2612	2888	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	31
PID 2888 wrote to memory of 2612	2888	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	31
PID 2888 wrote to memory of 2612	2888	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	31
PID 2888 wrote to memory of 2612	2888	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	31
PID 2888 wrote to memory of 2612	2888	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	31
PID 2888 wrote to memory of 2612	2888	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	31
PID 2888 wrote to memory of 2612	2888	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	31
PID 2888 wrote to memory of 2612	2888	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	31
PID 2888 wrote to memory of 2612	2888	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	31
PID 2888 wrote to memory of 2612	2888	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vk5egszu\vk5egszu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92BE.tmp" "c:\Users\Admin\AppData\Local\Temp\vk5egszu\CSC409A7A54294745218DCC4F2F30BBF9BC.TMP"
    3⤵
    PID:2472
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2612

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES92BE.tmp

Filesize
1KB

MD5
11f5ceefbef48071be86dc1f32c95d86

SHA1
11d4bd187c9d8c112d384ad0aba967f6949991d2

SHA256
355f0321a88c2641e3cc28e648d74803f48262957bca4c15aadb4be040490610

SHA512
030515d02ccaa4c0cca3f2d945d9d6f66897d4db81f0eb137531ca92fc6c2c4361a9eef7c7368dc48a26ba7a6ce69b45f92279e61982ed38dedbbea36f3ee6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\vk5egszu\vk5egszu.dll

Filesize
7KB

MD5
453c86925728410b7bae91b42baf7ce1

SHA1
27bf0d126b1ee8112742a42a488b5ab425258a8e

SHA256
9ee927702a0dbc922f13b0c8f5d7bc43f40967bab61d07cdf7f1c874a3eb0fa7

SHA512
a63dfb6ae6f7dece4702151bf81f363cd70614d5e65ab34f2e36858b47094dfd7c26c4b499a984370cdb2e7af15db0a0f0bccfff3581ba1762d88298836698f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vk5egszu\vk5egszu.pdb

Filesize
23KB

MD5
3317db6691f5b9aa984395655fbd74d8

SHA1
d9ff4b0dc7db391c1f8fedb3c3e27111295c9efd

SHA256
f01687aa23aac15e060b420ae520ca7153a93d66cf35e92d6ba92866ac3fb3bc

SHA512
f7e7888f4e5b3861f118cac1acce7c2b7c8d6fad59dc82060e70f7770d91be29580d4a352dc9f3180fae36363b72b27007fd7df363a5921e437d12416b1bd578

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vk5egszu\CSC409A7A54294745218DCC4F2F30BBF9BC.TMP

Filesize
1KB

MD5
7a6e6aabfd7720977078e100dd450a00

SHA1
ef67d90f822037c4247054a202cb034450f05ee2

SHA256
81169eb1054fe4888c01505c51b29f72cbc089bdc85dba828e9384bbc161a10e

SHA512
0d861a1198edac5718caa30a4c809e4d008c4e7cdfaadd07054b0456a8dcc18b8c9914e2a2b46c344b9bc4db65a5dbea388d68d45b2522c2c70ff5f9f61a6640

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vk5egszu\vk5egszu.0.cs

Filesize
6KB

MD5
465c7d9dd71280862c11b8b0081d62f7

SHA1
f0deed8bf011cb9ba2048ce751eea6007c6d0791

SHA256
338b90c57cf1268e4185bd0ee81dd98ecdfb22fed317492fdf520715ff5c8e81

SHA512
f683762cf4d18cfc95eaffcd40d3d06514b4c6d6b29605dceb99a2ba4bf28e70b3d24634ba428e466ff84b6aed371b6b58d1df40d3fd41f5e58407e617eebc24

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vk5egszu\vk5egszu.cmdline

Filesize
312B

MD5
d64e15f19720d001fd205ab009f54286

SHA1
aa5031c1470211d4506a32841e26ff9ce095c2dd

SHA256
211385a02c7d5bbfd3bc4faf6e721e673fd34d61e0918d603f473f359978db07

SHA512
aa1d5191a39c8f454795fedbc263e7cbd78f7e85067ca3e31bcafc9eab8bad0b7f0b20f8840a55364873581403a42c0c0fae62849a81f6483b16dff2bdebfd4b

Download Submit
memory/2612-34-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2612-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2612-24-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2612-32-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2612-26-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2612-27-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2612-30-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2612-25-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2888-23-0x0000000004F80000-0x0000000004FD6000-memory.dmp

Filesize
344KB

Download
memory/2888-0-0x0000000000BA0000-0x0000000000C1C000-memory.dmp

Filesize
496KB

Download
memory/2888-2-0x00000000006B0000-0x00000000006F0000-memory.dmp

Filesize
256KB

Download
memory/2888-20-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/2888-19-0x0000000004F20000-0x0000000004F80000-memory.dmp

Filesize
384KB

Download
memory/2888-17-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/2888-1-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-35-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing