Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
05-05-2024 18:11
General
-
Target
18c5c1b72a7764010ddb0c29f6104eaf_JaffaCakes118.msi
-
Size
2.1MB
-
MD5
18c5c1b72a7764010ddb0c29f6104eaf
-
SHA1
c0897b37b631fac818e31aac6fbd76cdbe24d131
-
SHA256
73a921d79c629a62d12cb03c5474b59f2e47fba3cd134d9c297bf6caa9d29be8
-
SHA512
635d3f9f13217147daa06938d84998acec57ee81203d4a69ef3eb2154dc1cb79b8696d59e0c585b8fa43d38c2d3aa1a7f2dd1fe2dbab60978c9bc0d9abeb52ed
-
SSDEEP
49152:H5EVRAJdD1Z/cusQrWxE/J92+DA4sqOo7/z:ZEVRUdDb0+yEB5DKA
Malware Config
Signatures
-
Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
-
Drops startup file 1 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 11 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\18c5c1b72a7764010ddb0c29f6104eaf_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BF9330045A1B8BD11F639200A6A6E6962⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\expand.exe"C:\Windows\System32\expand.exe" -R files.cab -F:* files3⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\MW-8dc7a4f6-b75f-4c59-8531-348aafa2242d\files\IMSynTPHelper.exe"C:\Users\Admin\AppData\Local\Temp\MW-8dc7a4f6-b75f-4c59-8531-348aafa2242d\files\IMSynTPHelper.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /c, "C:\Users\Admin\AppData\Local\Temp\Synmatec.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Synmatec.exe"C:\Users\Admin\AppData\Local\Temp\Synmatec.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /c, "C:\Users\Admin\Documents\b106484eb915e4ad6df697dc1442cbff-EDITED.jpg"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Synmatec.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\SynmatecProcessor.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /c, "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\SynmatecProcessor.exe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\SynmatecProcessor.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\SynmatecProcessor.exe"7⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\SynmatecProcessor.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\SynmatecProcessor.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2DA1E351BE6339B565DF2F95485D2B19 E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SynmatecProcessor.exe.logFilesize
706B
MD52ef5ef69dadb8865b3d5b58c956077b8
SHA1af2d869bac00685c745652bbd8b3fe82829a8998
SHA256363502eb2a4e53ba02d2d85412b901fcf8e06de221736bdffa949799ef3d21e3
SHA51266d4db5dd17d88e1d54ea0df3a7211a503dc4355de701259cefccc9f2e4e3ced9534b700099ffbb089a5a3acb082011c80b61801aa14aff76b379ce8f90d4fd3
-
C:\Users\Admin\AppData\Local\Temp\MW-8dc7a4f6-b75f-4c59-8531-348aafa2242d\files.cabFilesize
1.9MB
MD5a9fb9b6b482719cbd7a086cb8091f35a
SHA1d70c9e4b290df43a28f72f303fb3ee7dc6897400
SHA256c2d7cab5b45230fb343f200e02427b4c75bbd22817d00f90537b7d242b610d37
SHA512f9a680eefd943f2c7324df32b70b400065a968fb87e39092e29d994478a638c60fa4a683f7ddfcfbb6ad100e2e463e9a80f877bb14c938da4c15fa1ebdbd403f
-
C:\Users\Admin\AppData\Local\Temp\MW-8dc7a4f6-b75f-4c59-8531-348aafa2242d\files\IMSynTPHelper.exeFilesize
1.9MB
MD540706d9e08a34f0167faa803aad1d4a6
SHA1b0a958964f6037bc9dbac43124332844902d4c32
SHA25642ecb43af4bf31dab0599ffdd1156a88347a00e9940b7a984a5533a6c1a5be57
SHA512e3790550d7d77de24aad3e7f57c525b42069829d3e324e289bd66dc31d8d9365df44ba7e9a48750b648f215312dcf50356a513dfb5e7095c323c22c6eaee5ef7
-
C:\Users\Admin\AppData\Local\Temp\MW-8dc7a4f6-b75f-4c59-8531-348aafa2242d\msiwrapper.iniFilesize
488B
MD572cb2634a1dbbaa6cebbf282f672a36f
SHA18aa1381736fd20f0bcf103efd5c8a62b32f14fc4
SHA256cbc830f5bffde90ecbb026e8fce2921c5b2d2bd3b197b0e6845af8e718588c1d
SHA512b091dda803d9375aa1b810b105ca259cbb42832561802504a08070c4beff33c0640f53b09e1ec7654435a3b7eaf71cb873b76450c4b0bf9b30662a6ef9945194
-
C:\Users\Admin\Documents\b106484eb915e4ad6df697dc1442cbff-EDITED.jpgFilesize
1.2MB
MD55b9849e016ab5210cbc8e78a1fdd3671
SHA1560091b2bdf518dd892016722da62fa613d5e958
SHA25676a430452cf0bbb0e429675afd0bf1ff9bb9391f6d41dc293afd6ef06abb7c15
SHA5127975184dadbbb612cad14d01fa03d6ece12d28d9dbd1ba5ccc05b1c10f52b866693354d25c8b667c709ad345ac4a8715ec6e425702d0e3a73d606026bcaba659
-
C:\Users\Admin\Documents\b106484eb915e4ad6df697dc1442cbff-EDITED.txtFilesize
32B
MD55487dd5ec11b05c9f40df10892a2be77
SHA1f280495646fbe745db0a59d4c4d9c4529a205321
SHA2569dbd45db8495aeb79115856938096941222a3860c642a9c42f0c0f186683909a
SHA512d9128a6bb1534915cc2737d64145fb0e243a5cf709b03d3703570cd3fa6d5d703e02b056b371787288225a7225a3d8f16aee0831ad30e433c2d3110121101945
-
C:\Windows\Installer\MSI7705.tmpFilesize
131KB
MD5a06ba919e980d32e0ebe80ddfa099524
SHA12a1c0cbec1cbf5774a6d00fc3a14d2ce979026d1
SHA256b8074d53c56f7deb5832af3894ec20a21d1162252f177984807eb30fc1152fc8
SHA512c8be0aa247baec6c2a7061086c0bbec166099de3dd0f40e50558fb1515dbe9324662ea7c80797208e4eb2f2243c96067702edf385602773e7b3ccc36896f1d13
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
24.1MB
MD5673aac372c203807f0bc91d5b9924893
SHA160a92745ab3f1862b56b25561bdefef9d3e9d079
SHA256c6e24e303850d97c5c07cd7fede4cf93b4ac2098b792252d2fdb5096bc64c395
SHA512f74e2b2749a15d37ca1888908c48ea48a7809542bf1b0af1d95d3ae107ed7c9b2a6dc659afd627cf156b904327070574c38f8b1887a882df6d933e2b593782e3
-
\??\Volume{bb0c4c32-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6d2dd57b-05ff-46c7-8564-ce612b4dbfd4}_OnDiskSnapshotPropFilesize
6KB
MD589aeacbea3ceaa2c5ae4437a058f8488
SHA183dd912a002d1a45293abb7b896623b617a8c27d
SHA25604875254a08413043d75e898b7363cf2bdd05db239aaa20af9e5d942e5ab2f01
SHA5122670c8ae2757d2550f4f32a5a6abda2add715c50a7cff76815cd4ede7135089a69f928752fcd9b87eaf2d1f504606fea390a28039c5fd25b1afb0f092c9b12ca
-
memory/3980-100-0x0000000005E20000-0x0000000005E86000-memory.dmpFilesize
408KB
-
memory/3980-101-0x0000000006300000-0x0000000006318000-memory.dmpFilesize
96KB
-
memory/3980-99-0x0000000008250000-0x0000000008278000-memory.dmpFilesize
160KB
-
memory/3980-98-0x0000000004E20000-0x0000000004ECE000-memory.dmpFilesize
696KB
-
memory/3980-102-0x0000000006360000-0x0000000006376000-memory.dmpFilesize
88KB
-
memory/3980-103-0x00000000064D0000-0x00000000064DA000-memory.dmpFilesize
40KB
-
memory/3980-97-0x0000000000E70000-0x0000000000E80000-memory.dmpFilesize
64KB
-
memory/3980-96-0x0000000000830000-0x0000000000886000-memory.dmpFilesize
344KB
-
memory/4940-48-0x0000000004C50000-0x0000000004C80000-memory.dmpFilesize
192KB
-
memory/4940-92-0x000000000A3E0000-0x000000000A47C000-memory.dmpFilesize
624KB
-
memory/4940-91-0x0000000002890000-0x000000000289A000-memory.dmpFilesize
40KB
-
memory/4940-54-0x0000000007400000-0x000000000740E000-memory.dmpFilesize
56KB
-
memory/4940-53-0x00000000073D0000-0x00000000073DA000-memory.dmpFilesize
40KB
-
memory/4940-50-0x0000000007470000-0x0000000007502000-memory.dmpFilesize
584KB
-
memory/4940-49-0x0000000007980000-0x0000000007F24000-memory.dmpFilesize
5.6MB
-
memory/4940-47-0x0000000007180000-0x0000000007362000-memory.dmpFilesize
1.9MB
-
memory/4940-46-0x0000000000100000-0x00000000002F0000-memory.dmpFilesize
1.9MB
