imminent | b117b895ce28345b7d21ddbd47e92f0b79f427b289217a80da0af63c80ada71c

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe
Size

676KB
MD5

119317df35531415eb010d93bb9d1ec0
SHA1

1eb882b84c9f2f7fd6a08a254fd667c1be2dab47
SHA256

b117b895ce28345b7d21ddbd47e92f0b79f427b289217a80da0af63c80ada71c
SHA512

af13738f39a56f827405e7b973b9ba0a9d3559a0aebd267da146c8996a17f34dcc74b4aecceb34e93560b7cb6835ad3371e0a6257fa390df617acab1176c59e2
SSDEEP

12288:ajDvX/rBmU+emU+PFtOs7FyeiD5n0SeD3JMc4/wtwc:yrrBmU3mUsOs7FyxiFtMc9w

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RUuGMq.url	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 2756	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	32

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe
2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe
2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2756	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe
Token: SeDebugPrivilege	2756	RegAsm.exe
Token: 33	2756	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2756	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2756	RegAsm.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2380	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	28
PID 2128 wrote to memory of 2380	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	28
PID 2128 wrote to memory of 2380	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	28
PID 2128 wrote to memory of 2380	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	28
PID 2380 wrote to memory of 2052	2380	csc.exe	30
PID 2380 wrote to memory of 2052	2380	csc.exe	30
PID 2380 wrote to memory of 2052	2380	csc.exe	30
PID 2380 wrote to memory of 2052	2380	csc.exe	30
PID 2128 wrote to memory of 2728	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2728	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2728	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2728	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2728	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2728	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2728	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2756	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2756	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2756	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2756	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2756	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2756	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2756	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2756	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2756	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2756	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2756	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2756	2128	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gr2lisre\gr2lisre.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2AB8.tmp" "c:\Users\Admin\AppData\Local\Temp\gr2lisre\CSC6E50092324424451B054F1195C37E1A7.TMP"
    3⤵
    PID:2052
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:2728
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2756

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2AB8.tmp

Filesize
1KB

MD5
23c70ec034c1c47cbe4ea4652e3497e5

SHA1
0c2e830e6eb012da48856d46396f06048a2f0ee7

SHA256
4ae83e5e5c837844f987190819024e17ef2a530323f9173fb3f16c4ac549c67f

SHA512
f2a41ed5be37beb7c84536b87dcfc6428d01ddf780dd2ea42fb347914de1e6d29c248132ddcb46dcffa04ca4cbf7fbe6607b39e34c58d230f5342056424eaf7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gr2lisre\gr2lisre.dll

Filesize
15KB

MD5
f2f31eee5fea22835a7e893c743e9413

SHA1
a3d419662a6e773b0768135dd32701d532132c88

SHA256
bb6b3758762462ada72bda1e83b4587a295203690a765b86b4fed79df94cede3

SHA512
f7fda30385c07cc34226690fbe1e27bb53c3fbd995f9141d418fe99cb9bb0eb247a3c8ca0379aea35092790fb4c29a8edd0d195d310bb5a4230725e926033c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gr2lisre\gr2lisre.pdb

Filesize
49KB

MD5
05f2fccb253408ca7ee31605600a0b72

SHA1
93b8f9015b301b760cae2a79c4086ea541c38e0a

SHA256
7f0c6d31b540de86d40c271b3721cba416b6bfe827ae4155105f592fbbea7506

SHA512
d3c06b656c88f45575346b077873b6ef88d681be435c4b06834db42f65feaba31c35a55b5dca45342ebd2390d3e6e0168ec1a2dbd1be1a089f1560af85be80a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gr2lisre\CSC6E50092324424451B054F1195C37E1A7.TMP

Filesize
1KB

MD5
8befc8fabaf4b0025ae8be47583aad55

SHA1
69bf258f478b9b552ef10b5975488e5e1d85c981

SHA256
5b9e86856cd6885d5a07e4d0a18bb5d9a29b85b3090d79036d8948771a797a25

SHA512
c94367593519d672a063acbec90e1ffc067972a4babbbd424bfa925da67073505cae488b6ac200b6273382eadc37277a8c16e2a487799524b77e3ceb183c6572

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gr2lisre\gr2lisre.0.cs

Filesize
28KB

MD5
eb45e07606cb096aa763cb50225ed2c8

SHA1
dc590962fe53d01ed98c32ee21d429de3b4c25ce

SHA256
1a844366276b845409f06ae64ff6f12ebb7f059bc7441bfb9f4d97b0da95ea8f

SHA512
cdb1a20bd73d3c7871f84e3c47b0f2d24fbae22ac6559ecb64db9e9bff7b7d9219566456c5ead2ee5462baa9ac9b5e5df8e349f3ca804ad0cf3b04bad442d80d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gr2lisre\gr2lisre.cmdline

Filesize
312B

MD5
a5c333a5a64ad0718a1222de2dca2df8

SHA1
e531a6ee1014aa24924fb702c9aa95f3a1e41a05

SHA256
1b5f54c5f2d8bf0a05d6577a6938a334c2060cf1c9ae5b5d9c2eebea3caea9f3

SHA512
742bb91b82cece29692fbcc0e12ff9319919948d6c4bea262323d0d43b0a946083e1cfbe11993a9b811149820aa141e841ef4d59c098f4049d70afefa0001604

Download Submit
memory/2128-19-0x0000000001F20000-0x0000000001F80000-memory.dmp

Filesize
384KB

Download
memory/2128-39-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-1-0x0000000000030000-0x00000000000E0000-memory.dmp

Filesize
704KB

Download
memory/2128-17-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/2128-0-0x000000007427E000-0x000000007427F000-memory.dmp

Filesize
4KB

Download
memory/2128-20-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2128-23-0x0000000004D40000-0x0000000004D96000-memory.dmp

Filesize
344KB

Download
memory/2128-5-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2756-36-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2756-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2756-30-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2756-26-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2756-38-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2756-28-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2756-24-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2756-34-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download