imminent | b117b895ce28345b7d21ddbd47e92f0b79f427b289217a80da0af63c80ada71c

General

Target

119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe
Size

676KB
MD5

119317df35531415eb010d93bb9d1ec0
SHA1

1eb882b84c9f2f7fd6a08a254fd667c1be2dab47
SHA256

b117b895ce28345b7d21ddbd47e92f0b79f427b289217a80da0af63c80ada71c
SHA512

af13738f39a56f827405e7b973b9ba0a9d3559a0aebd267da146c8996a17f34dcc74b4aecceb34e93560b7cb6835ad3371e0a6257fa390df617acab1176c59e2
SSDEEP

12288:ajDvX/rBmU+emU+PFtOs7FyeiD5n0SeD3JMc4/wtwc:yrrBmU3mUsOs7FyxiFtMc9w

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RUuGMq.url	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4852 set thread context of 2220	4852	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	89

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	RegAsm.exe
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4852	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe
4852	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2220	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4852	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	RegAsm.exe
Token: 33	2220	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2220	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2220	RegAsm.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 392	4852	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	83
PID 4852 wrote to memory of 392	4852	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	83
PID 4852 wrote to memory of 392	4852	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	83
PID 392 wrote to memory of 1192	392	csc.exe	88
PID 392 wrote to memory of 1192	392	csc.exe	88
PID 392 wrote to memory of 1192	392	csc.exe	88
PID 4852 wrote to memory of 2220	4852	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	89
PID 4852 wrote to memory of 2220	4852	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	89
PID 4852 wrote to memory of 2220	4852	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	89
PID 4852 wrote to memory of 2220	4852	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	89
PID 4852 wrote to memory of 2220	4852	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	89
PID 4852 wrote to memory of 2220	4852	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	89
PID 4852 wrote to memory of 2220	4852	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	89
PID 4852 wrote to memory of 2220	4852	119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\119317df35531415eb010d93bb9d1ec0_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jajuq15y\jajuq15y.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37B9.tmp" "c:\Users\Admin\AppData\Local\Temp\jajuq15y\CSCBA1ECEC6828F48B2AEF2B5A479F33412.TMP"
    3⤵
    PID:1192
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2220

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES37B9.tmp

Filesize
1KB

MD5
9b022eef5833e54c8aa443f8c1af7e4a

SHA1
41a1492b09d54d84f89bf414664f42283ff8c234

SHA256
85179b5e405c24fd2ef71fa3c4ddc07d30cdcfaa727413a1a040cd7b29663c2e

SHA512
61a34283b73536eadc5a88e8b1916b07933fa88b5db32d05d3cdd97b445b16be0eaff8e3b5c68c43b468f758f13b7d00e8f943367bb6375c922ef0e8aff938ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\jajuq15y\jajuq15y.dll

Filesize
15KB

MD5
0389edb7bfc6efa712dee0577d29508d

SHA1
dfd2f6d067fa12a519577572e46de443844fcc5d

SHA256
417d1a96f0fe724210b3596dea5a6fbbcbe11be5a9ac1c16a094c13fdd750cbc

SHA512
2d1641615ca6688675c15b65ef65633378365fa555fc03ce1d07a7d36f8fd5505523da750f2858de64af7f68ff59e1d3bf6e08473bd66cc481d3e2c6f8debcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\jajuq15y\jajuq15y.pdb

Filesize
49KB

MD5
fe3247a2c87b02e2bc9a9a4e94c1ceae

SHA1
c3e963e5b124d63281a89edfe86cd3ab7e653f8c

SHA256
cd5b9edb493561dd85c873fc8b64ea6c4f193a7937600962711a3ad8057759df

SHA512
f94e92ec3bb6d621d92dca420a6c4860265b4035b1b4caf7b918029ffa2292e79bf2cf45fdd9f6a78ecef637f733acdbadcdf91a36aa53ad3d693886eba3b7f9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jajuq15y\CSCBA1ECEC6828F48B2AEF2B5A479F33412.TMP

Filesize
1KB

MD5
6141d80b206c88a2ad0a55b300d17a61

SHA1
2f8f0a4fda6e90e892be9679815ef2b7dac512d1

SHA256
747b9623b8afa855b0d5ef98364915a85f0be51cbca2a1fa65e873b130161524

SHA512
496521979d9c7285ae3159512e499011a82bf1905511cb35cac9488957eaf401ece2bbf621fe6241359364a3ada0ec355612971759d998f6d77e1d4fbfa35792

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jajuq15y\jajuq15y.0.cs

Filesize
28KB

MD5
eb45e07606cb096aa763cb50225ed2c8

SHA1
dc590962fe53d01ed98c32ee21d429de3b4c25ce

SHA256
1a844366276b845409f06ae64ff6f12ebb7f059bc7441bfb9f4d97b0da95ea8f

SHA512
cdb1a20bd73d3c7871f84e3c47b0f2d24fbae22ac6559ecb64db9e9bff7b7d9219566456c5ead2ee5462baa9ac9b5e5df8e349f3ca804ad0cf3b04bad442d80d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jajuq15y\jajuq15y.cmdline

Filesize
312B

MD5
daad60077d27d9057ba1f05d74d581ec

SHA1
2471dc6a962f9edb43551ab138739f57fd864231

SHA256
8f0173d97fc3db4c736bdf816aa4dd3a0e2aa8650136a5cda4f2264e4b0a86a7

SHA512
11e621e0cc15a85eeeddbf4e65eafaa79163529082d51744cc8e6dea2620284b316b754eefcfe1a9dc50f1eba75d040144b0f7605bf54b94ecbefd72d8427b84

Download Submit
memory/2220-26-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2220-29-0x00000000713C2000-0x00000000713C3000-memory.dmp

Filesize
4KB

Download
memory/2220-40-0x00000000713C0000-0x0000000071971000-memory.dmp

Filesize
5.7MB

Download
memory/2220-39-0x00000000713C2000-0x00000000713C3000-memory.dmp

Filesize
4KB

Download
memory/2220-31-0x00000000713C0000-0x0000000071971000-memory.dmp

Filesize
5.7MB

Download
memory/2220-30-0x00000000713C0000-0x0000000071971000-memory.dmp

Filesize
5.7MB

Download
memory/4852-24-0x0000000005D50000-0x0000000005DA6000-memory.dmp

Filesize
344KB

Download
memory/4852-5-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/4852-25-0x0000000005E50000-0x0000000005EEC000-memory.dmp

Filesize
624KB

Download
memory/4852-0-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/4852-28-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/4852-21-0x00000000030E0000-0x00000000030EC000-memory.dmp

Filesize
48KB

Download
memory/4852-20-0x0000000005CF0000-0x0000000005D50000-memory.dmp

Filesize
384KB

Download
memory/4852-19-0x0000000005800000-0x0000000005892000-memory.dmp

Filesize
584KB

Download
memory/4852-17-0x0000000003040000-0x000000000304A000-memory.dmp

Filesize
40KB

Download
memory/4852-1-0x0000000000D00000-0x0000000000DB0000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing