imminent | cc29af4836750180f2e29745658cf1fd45302c2dc48c952cf38835370932a6f8

General

Target

1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe
Size

534KB
MD5

1aeafb4aeda2e03af35db00806c4a752
SHA1

dd0a5862ffbccc7949e8fd6407ef4ee717ba4aac
SHA256

cc29af4836750180f2e29745658cf1fd45302c2dc48c952cf38835370932a6f8
SHA512

a797b0514d2325f4641d1aca542b2fa6d92f1ef71882f549ba0cc33c48ebc392d72787b4cf63a336c4a4220a47d06b2fe260f157b3d2f4346c7c54472f0edcb9
SSDEEP

6144:ZbuodmSEjapEQaFd8M6rjiiiJUWWAxlp4HqUhiNAyV31RFp07k0rqQ8:MAHlaF6j2iiJUWfl27iKQRFp4kV

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
1900	svhost.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1800 set thread context of 1900	1800	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe	97

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4964	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1800	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe
1800	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe
1800	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe
1800	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe
1800	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1900	svhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe
Token: SeDebugPrivilege	1900	svhost.exe
Token: 33	1900	svhost.exe
Token: SeIncBasePriorityPrivilege	1900	svhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1900	svhost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 4348	1800	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe	90
PID 1800 wrote to memory of 4348	1800	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe	90
PID 1800 wrote to memory of 4348	1800	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe	90
PID 4348 wrote to memory of 4896	4348	cmd.exe	94
PID 4348 wrote to memory of 4896	4348	cmd.exe	94
PID 4348 wrote to memory of 4896	4348	cmd.exe	94
PID 1800 wrote to memory of 1900	1800	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe	97
PID 1800 wrote to memory of 1900	1800	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe	97
PID 1800 wrote to memory of 1900	1800	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe	97
PID 1800 wrote to memory of 1900	1800	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe	97
PID 1800 wrote to memory of 1900	1800	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe	97
PID 1800 wrote to memory of 1900	1800	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe	97
PID 1800 wrote to memory of 1900	1800	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe	97
PID 1800 wrote to memory of 1900	1800	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe	97
PID 1800 wrote to memory of 3972	1800	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe	98
PID 1800 wrote to memory of 3972	1800	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe	98
PID 1800 wrote to memory of 3972	1800	1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe	98
PID 3972 wrote to memory of 4964	3972	cmd.exe	100
PID 3972 wrote to memory of 4964	3972	cmd.exe	100
PID 3972 wrote to memory of 4964	3972	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
    3⤵
    PID:4896
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - Delays execution with timeout.exe
    PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:1796

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
534KB

MD5
1aeafb4aeda2e03af35db00806c4a752

SHA1
dd0a5862ffbccc7949e8fd6407ef4ee717ba4aac

SHA256
cc29af4836750180f2e29745658cf1fd45302c2dc48c952cf38835370932a6f8

SHA512
a797b0514d2325f4641d1aca542b2fa6d92f1ef71882f549ba0cc33c48ebc392d72787b4cf63a336c4a4220a47d06b2fe260f157b3d2f4346c7c54472f0edcb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat

Filesize
204B

MD5
bfcbf382f036462e63f307ca4ae280c7

SHA1
ffe98d15fa5ea205220d6bc105e317253a6ea003

SHA256
2c3dd84c3ce3e529117e611d8caf4fc7f5a902840350f4ca524c251a2152c727

SHA512
1b912652cc989541b396df5fd6bf207a4cf4ed891dc6e3223b8d0497c19a2589cb644c4c96ca01d882a7643f240c566966d84e46d77e9ad33e05214f8f553d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
89KB

MD5
84c42d0f2c1ae761bef884638bc1eacd

SHA1
4353881e7f4e9c7610f4e0489183b55bb58bb574

SHA256
331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3

SHA512
43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

Download Submit
memory/1800-23-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/1800-2-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/1800-26-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/1800-15-0x0000000075122000-0x0000000075123000-memory.dmp

Filesize
4KB

Download
memory/1800-18-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/1800-0-0x0000000075122000-0x0000000075123000-memory.dmp

Filesize
4KB

Download
memory/1800-1-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/1900-21-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/1900-20-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/1900-19-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/1900-24-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/1900-12-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1900-32-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/1900-33-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing