imminent | 53a96e66d55b55c3da544f192de6ab47d3194ad878d75c9d820b83566703c8d9

General

Target

0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe
Size

473KB
MD5

0239df7d47b8002859f89f32d57a1192
SHA1

fb32675eb631aaee30a0c64df192e3230451409e
SHA256

53a96e66d55b55c3da544f192de6ab47d3194ad878d75c9d820b83566703c8d9
SHA512

c67138045eec71164f5f79f3244a7576963ef1b19270870d7a98a2c9342165f65670a17327c6a1754b6665765950a75a9c1ebf708af3eed09ddf8e47b4fbba8c
SSDEEP

6144:Iz++FoyEVD3EVDz/u3rurpBQthhdHpt348LFDsiZ12aYkPSMAbuybLBhAeqSPOnu:IZG64uT4Hpto6Qo1XPYCAGnCgej

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qYbNJF.url	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 220 set thread context of 3052	220	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	89

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
220	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe
220	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3052	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	220	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe
Token: SeDebugPrivilege	3052	RegAsm.exe
Token: 33	3052	RegAsm.exe
Token: SeIncBasePriorityPrivilege	3052	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3052	RegAsm.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 2872	220	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	85
PID 220 wrote to memory of 2872	220	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	85
PID 220 wrote to memory of 2872	220	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	85
PID 2872 wrote to memory of 4884	2872	csc.exe	87
PID 2872 wrote to memory of 4884	2872	csc.exe	87
PID 2872 wrote to memory of 4884	2872	csc.exe	87
PID 220 wrote to memory of 3052	220	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	89
PID 220 wrote to memory of 3052	220	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	89
PID 220 wrote to memory of 3052	220	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	89
PID 220 wrote to memory of 3052	220	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	89
PID 220 wrote to memory of 3052	220	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	89
PID 220 wrote to memory of 3052	220	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	89
PID 220 wrote to memory of 3052	220	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	89
PID 220 wrote to memory of 3052	220	0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0239df7d47b8002859f89f32d57a1192_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1a5dlb5i\1a5dlb5i.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40E1.tmp" "c:\Users\Admin\AppData\Local\Temp\1a5dlb5i\CSCEBBBC359D86242C79B638E88151C2EF5.TMP"
    3⤵
    PID:4884
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3052

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1a5dlb5i\1a5dlb5i.dll

Filesize
7KB

MD5
71a89578392e63daae74962e791ca175

SHA1
e2aeaa5b9d9ce2910e89a82d5f3098f2bdc318d7

SHA256
8f392d1ff4aa2ff285cf0b045208ec32c3f59615703294a476235e5b97446a7b

SHA512
457cbd3c327413570e0bf9b94d48c63e822d093a543f43779009a6ad63884d54f9e2eccf9a2d79833850dfe885d174d8ca6627ca9959f747268f9c8db2c6bc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a5dlb5i\1a5dlb5i.pdb

Filesize
23KB

MD5
08dbb5c08dcda4275f692f67e1d21703

SHA1
f58926a58797cf1d9bffcf6cd221eb40ffbbcfe2

SHA256
f83357818b4fe62bebef00e92a2ae864f7a904062a86985dee7cd4cfa778af56

SHA512
5aaf505fd9c61d0c6e045bbbf9f7c74137e4bf42700fd3f5accf2c6698e7c6b2da3b52235b14b0952eb64afc90eef360a3b868b9c905affac8e6d843c5e360f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES40E1.tmp

Filesize
1KB

MD5
fe37be6163cdb560ac018b26c9d07144

SHA1
614ab3d247b52c3bf3e20a9f3a8982124d86b1be

SHA256
b991e5fafeabe259982eb10f37a6cdf2ff0a606c4a3baf5a18fdedfa0de2a999

SHA512
80c724d609c0201a7e32e216cca14c5f53a7fef6f3e916408af892ead1e07de079d397c109b06eadbd3ed4f99765816214aef8f1f35e6857dc1a934380f492f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1a5dlb5i\1a5dlb5i.0.cs

Filesize
6KB

MD5
465c7d9dd71280862c11b8b0081d62f7

SHA1
f0deed8bf011cb9ba2048ce751eea6007c6d0791

SHA256
338b90c57cf1268e4185bd0ee81dd98ecdfb22fed317492fdf520715ff5c8e81

SHA512
f683762cf4d18cfc95eaffcd40d3d06514b4c6d6b29605dceb99a2ba4bf28e70b3d24634ba428e466ff84b6aed371b6b58d1df40d3fd41f5e58407e617eebc24

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1a5dlb5i\1a5dlb5i.cmdline

Filesize
312B

MD5
a0a479789698517ed4c26115fc9dd7a1

SHA1
04a94640fdf792f70d2fd8580e1975982d6dfdbc

SHA256
725fd10f0c76be8bb06d7901fef5028d1137f4365b429bb64642dce55c62e4e4

SHA512
cfb802efc1ae823e1da2837e2510192c950a721887e2ee960c751fc71d2f0cfb7468ceb1da276626521c7eb8771b0052f348b29148c8c1d8e2287bf0d6512dfd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1a5dlb5i\CSCEBBBC359D86242C79B638E88151C2EF5.TMP

Filesize
1KB

MD5
42d738476dc4c8d433fa32060eac03eb

SHA1
1d7f4b4a1c1fd10ccf78cbf03840e55098bd355b

SHA256
ffbb8dd8bbe6a0a393a9df743c2b26d3243fca79ae8d8fabd339b7d091f25a30

SHA512
06c830c2b03b7202d8a8002cb2ef13e96186113a0e5d128db1646f48ffe31167d84ad9d2454b022635b8da8e6a0f5128049e41117ccd31d7808b48d64cf1ee93

Download Submit
memory/220-19-0x0000000005830000-0x00000000058C2000-memory.dmp

Filesize
584KB

Download
memory/220-28-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/220-1-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/220-17-0x0000000003270000-0x0000000003278000-memory.dmp

Filesize
32KB

Download
memory/220-0-0x0000000000F60000-0x0000000000FDC000-memory.dmp

Filesize
496KB

Download
memory/220-20-0x0000000005D90000-0x0000000005DF0000-memory.dmp

Filesize
384KB

Download
memory/220-21-0x0000000005810000-0x000000000581C000-memory.dmp

Filesize
48KB

Download
memory/220-24-0x0000000005DF0000-0x0000000005E46000-memory.dmp

Filesize
344KB

Download
memory/220-25-0x0000000005EF0000-0x0000000005F8C000-memory.dmp

Filesize
624KB

Download
memory/220-4-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/3052-26-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3052-31-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/3052-30-0x00000000711F0000-0x00000000717A1000-memory.dmp

Filesize
5.7MB

Download
memory/3052-29-0x00000000711F0000-0x00000000717A1000-memory.dmp

Filesize
5.7MB

Download
memory/3052-39-0x00000000711F0000-0x00000000717A1000-memory.dmp

Filesize
5.7MB

Download
memory/3052-40-0x00000000711F0000-0x00000000717A1000-memory.dmp

Filesize
5.7MB

Download
memory/3052-41-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing