Overview

overview

10

Static

static

1

18c5c1b72a...18.msi

windows7-x64

10

18c5c1b72a...18.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    05-05-2024 18:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18c5c1b72a7764010ddb0c29f6104eaf_JaffaCakes118.msi

  • Size

    2.1MB

  • MD5

    18c5c1b72a7764010ddb0c29f6104eaf

  • SHA1

    c0897b37b631fac818e31aac6fbd76cdbe24d131

  • SHA256

    73a921d79c629a62d12cb03c5474b59f2e47fba3cd134d9c297bf6caa9d29be8

  • SHA512

    635d3f9f13217147daa06938d84998acec57ee81203d4a69ef3eb2154dc1cb79b8696d59e0c585b8fa43d38c2d3aa1a7f2dd1fe2dbab60978c9bc0d9abeb52ed

  • SSDEEP

    49152:H5EVRAJdD1Z/cusQrWxE/J92+DA4sqOo7/z:ZEVRUdDb0+yEB5DKA

Score
10/10
imminentagilenetspywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Drops startup file 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 13 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\18c5c1b72a7764010ddb0c29f6104eaf_JaffaCakes118.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2836
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 24A0DD38AD8127D7A5C9B7A3B2337D96
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\SysWOW64\expand.exe
        "C:\Windows\System32\expand.exe" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:2744
      • C:\Users\Admin\AppData\Local\Temp\MW-7e294171-ee62-405c-bd6f-f2865071ff0c\files\IMSynTPHelper.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-7e294171-ee62-405c-bd6f-f2865071ff0c\files\IMSynTPHelper.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\SysWOW64\cmd.exe" /c, "C:\Users\Admin\AppData\Local\Temp\Synmatec.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1572
          • C:\Users\Admin\AppData\Local\Temp\Synmatec.exe
            "C:\Users\Admin\AppData\Local\Temp\Synmatec.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2164
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\SysWOW64\cmd.exe" /c, "C:\Users\Admin\Documents\b106484eb915e4ad6df697dc1442cbff-EDITED.jpg"
              6⤵
                PID:1436
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\SysWOW64\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Synmatec.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SynmatecProcessor.exe"
                6⤵
                  PID:2124
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\SysWOW64\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SynmatecProcessor.exe"
                  6⤵
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:1652
                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SynmatecProcessor.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SynmatecProcessor.exe"
                    7⤵
                    • Drops startup file
                    • Suspicious use of SetThreadContext
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:1836
                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SynmatecProcessor.exe
                      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SynmatecProcessor.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:288
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding 858EF8ADDB2017635F51DF434E29FC2E M Global\MSI0000
          2⤵
          • Loads dropped DLL
          PID:1264
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2436
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B4" "00000000000005A8"
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:2384
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
        1⤵
        • Suspicious use of FindShellTrayWindow
        PID:1216
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
          PID:1404

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\MW-7e294171-ee62-405c-bd6f-f2865071ff0c\files.cab
          Filesize

          1.9MB

          MD5

          a9fb9b6b482719cbd7a086cb8091f35a

          SHA1

          d70c9e4b290df43a28f72f303fb3ee7dc6897400

          SHA256

          c2d7cab5b45230fb343f200e02427b4c75bbd22817d00f90537b7d242b610d37

          SHA512

          f9a680eefd943f2c7324df32b70b400065a968fb87e39092e29d994478a638c60fa4a683f7ddfcfbb6ad100e2e463e9a80f877bb14c938da4c15fa1ebdbd403f

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\MW-7e294171-ee62-405c-bd6f-f2865071ff0c\files\IMSynTPHelper.exe
          Filesize

          1.9MB

          MD5

          40706d9e08a34f0167faa803aad1d4a6

          SHA1

          b0a958964f6037bc9dbac43124332844902d4c32

          SHA256

          42ecb43af4bf31dab0599ffdd1156a88347a00e9940b7a984a5533a6c1a5be57

          SHA512

          e3790550d7d77de24aad3e7f57c525b42069829d3e324e289bd66dc31d8d9365df44ba7e9a48750b648f215312dcf50356a513dfb5e7095c323c22c6eaee5ef7

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\MW-7e294171-ee62-405c-bd6f-f2865071ff0c\msiwrapper.ini
          Filesize

          488B

          MD5

          17d069458615d485b300d2b3c6ca1ef9

          SHA1

          c894c4bf1dcdf83fd3e6098461fa1e3dfb150893

          SHA256

          1caac545e7f6c4187635f31a8c860082c1ce68a982c90036f65ddef0faec469d

          SHA512

          3d73b9bbda075f65c2682bb6e224d3b4f0ebdf61f139f9f93cb2e7345e1390d00d31477d63b5d3c3e8568bd07e9862e00ebe04c8a63420ac57ca38a30516e1d7

          Download Submit
        • C:\Users\Admin\Documents\b106484eb915e4ad6df697dc1442cbff-EDITED.jpg
          Filesize

          1.2MB

          MD5

          5b9849e016ab5210cbc8e78a1fdd3671

          SHA1

          560091b2bdf518dd892016722da62fa613d5e958

          SHA256

          76a430452cf0bbb0e429675afd0bf1ff9bb9391f6d41dc293afd6ef06abb7c15

          SHA512

          7975184dadbbb612cad14d01fa03d6ece12d28d9dbd1ba5ccc05b1c10f52b866693354d25c8b667c709ad345ac4a8715ec6e425702d0e3a73d606026bcaba659

          Download Submit
        • C:\Users\Admin\Documents\b106484eb915e4ad6df697dc1442cbff-EDITED.txt
          Filesize

          32B

          MD5

          5487dd5ec11b05c9f40df10892a2be77

          SHA1

          f280495646fbe745db0a59d4c4d9c4529a205321

          SHA256

          9dbd45db8495aeb79115856938096941222a3860c642a9c42f0c0f186683909a

          SHA512

          d9128a6bb1534915cc2737d64145fb0e243a5cf709b03d3703570cd3fa6d5d703e02b056b371787288225a7225a3d8f16aee0831ad30e433c2d3110121101945

          Download Submit
        • C:\Windows\Installer\MSI3276.tmp
          Filesize

          131KB

          MD5

          a06ba919e980d32e0ebe80ddfa099524

          SHA1

          2a1c0cbec1cbf5774a6d00fc3a14d2ce979026d1

          SHA256

          b8074d53c56f7deb5832af3894ec20a21d1162252f177984807eb30fc1152fc8

          SHA512

          c8be0aa247baec6c2a7061086c0bbec166099de3dd0f40e50558fb1515dbe9324662ea7c80797208e4eb2f2243c96067702edf385602773e7b3ccc36896f1d13

          Download Submit
        • memory/288-145-0x0000000000400000-0x0000000000456000-memory.dmp
          Filesize

          344KB

          Download
        • memory/288-147-0x0000000000400000-0x0000000000456000-memory.dmp
          Filesize

          344KB

          Download
        • memory/288-152-0x00000000005C0000-0x00000000005D6000-memory.dmp
          Filesize

          88KB

          Download
        • memory/288-151-0x00000000003B0000-0x00000000003D8000-memory.dmp
          Filesize

          160KB

          Download
        • memory/288-150-0x0000000005040000-0x00000000050EE000-memory.dmp
          Filesize

          696KB

          Download
        • memory/288-149-0x0000000000350000-0x0000000000360000-memory.dmp
          Filesize

          64KB

          Download
        • memory/288-148-0x0000000000400000-0x0000000000456000-memory.dmp
          Filesize

          344KB

          Download
        • memory/288-144-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
          Filesize

          4KB

          Download
        • memory/288-142-0x0000000000400000-0x0000000000456000-memory.dmp
          Filesize

          344KB

          Download
        • memory/288-140-0x0000000000400000-0x0000000000456000-memory.dmp
          Filesize

          344KB

          Download
        • memory/288-137-0x0000000000400000-0x0000000000456000-memory.dmp
          Filesize

          344KB

          Download
        • memory/288-138-0x0000000000400000-0x0000000000456000-memory.dmp
          Filesize

          344KB

          Download
        • memory/1216-115-0x0000000000120000-0x0000000000122000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1436-114-0x0000000000640000-0x0000000000642000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1836-135-0x0000000000E50000-0x0000000000E5A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/1836-128-0x0000000001370000-0x0000000001560000-memory.dmp
          Filesize

          1.9MB

          Download
        • memory/2164-55-0x0000000001360000-0x0000000001550000-memory.dmp
          Filesize

          1.9MB

          Download
        • memory/2664-50-0x0000000007010000-0x00000000071F2000-memory.dmp
          Filesize

          1.9MB

          Download
        • memory/2664-49-0x0000000001360000-0x0000000001550000-memory.dmp
          Filesize

          1.9MB

          Download
        • memory/2664-52-0x0000000000420000-0x000000000042A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/2664-51-0x00000000003F0000-0x0000000000420000-memory.dmp
          Filesize

          192KB

          Download
        • memory/2664-53-0x0000000000490000-0x000000000049E000-memory.dmp
          Filesize

          56KB

          Download