imminent | 8e8941c4436c0c4666d8eb89429be7421341f051e1b07a73379c0505a9feeafe

General

Target

20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe
Size

485KB
MD5

20833d55ee686ee4b5e3dca815a71cfe
SHA1

9c44d4c2094dbe462a32d83e784ba30ed3526ee5
SHA256

8e8941c4436c0c4666d8eb89429be7421341f051e1b07a73379c0505a9feeafe
SHA512

2fcd668074474808b7130c34d888bd92be688794c4bb05b58ebad19565b7377ce69ad4ab729303401621718c9e4e3c44f17684d48a91a39684b4b9c0d948c7ef
SSDEEP

12288:ITpppppppp/ppppppppppppppppppppppppppppppppppppppppcbW26hcshXq9R:IyWFhz1q9NQ89qGEoE8yG

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TAQOna.url	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1620 set thread context of 2504	1620	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1620	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe
1620	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2504	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe
Token: SeDebugPrivilege	2504	RegAsm.exe
Token: 33	2504	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2504	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2504	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2568	1620	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	28
PID 1620 wrote to memory of 2568	1620	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	28
PID 1620 wrote to memory of 2568	1620	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	28
PID 1620 wrote to memory of 2568	1620	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	28
PID 2568 wrote to memory of 2228	2568	csc.exe	30
PID 2568 wrote to memory of 2228	2568	csc.exe	30
PID 2568 wrote to memory of 2228	2568	csc.exe	30
PID 2568 wrote to memory of 2228	2568	csc.exe	30
PID 1620 wrote to memory of 2504	1620	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2504	1620	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2504	1620	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2504	1620	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2504	1620	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2504	1620	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2504	1620	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2504	1620	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2504	1620	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2504	1620	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2504	1620	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2504	1620	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pog5kdua\pog5kdua.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1027.tmp" "c:\Users\Admin\AppData\Local\Temp\pog5kdua\CSCEF095EB44C57443D9828111C8AC854C.TMP"
    3⤵
    PID:2228
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2504

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1027.tmp

Filesize
1KB

MD5
99c54537592d26f3fb38d4af6e34a701

SHA1
009891e116ce4681f1c58f5226a540a3decaf767

SHA256
432524b0174f24db89f7435cbf6a684370f52eae5ee6d4e374262badd8fd4784

SHA512
e885def6b9fda162c01593ce5ee678fa1c1b59c5f375ba543067bc38615b3a423f99342085dd3a6956c861d1fa3e0f5700d9a2dcca11dde51c0084a660f0d235

Download Submit
C:\Users\Admin\AppData\Local\Temp\pog5kdua\pog5kdua.dll

Filesize
7KB

MD5
1d33f8a419648298270a517e0fdbc96c

SHA1
7bd648819ae36e87773865b399ba96b8ba742339

SHA256
eb1e0b2d11b29492b835941f8986694ee1b54b17d8b53e3956bd31c8eca02fd5

SHA512
2ee89be57cf9343cb92c32df12e3d93617952b2fb63273a7d1e3da7031be0095156076bc9eecfd46c64999b8fe67dfe78cf2cfe558837923ad0c0caaa9c22547

Download Submit
C:\Users\Admin\AppData\Local\Temp\pog5kdua\pog5kdua.pdb

Filesize
23KB

MD5
7ea2ee689bb4541909aa4ae07e1b7951

SHA1
d9859e7828eb19cb8ab4e78b2dfc58f3c9235d5a

SHA256
c18aa1ea6c2705d2d977fa88adfa4847cd3964f1d86b1a5f3abd1d57e457c7b4

SHA512
268216d89217a285ece42ecde20c0bec6ac515b07c9d669ee860db1c541ba9dc096307371d6392af3bfad5140274265b2d95b0d16c75e3495b72aae1fffeb98b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pog5kdua\CSCEF095EB44C57443D9828111C8AC854C.TMP

Filesize
1KB

MD5
185fdeb9d393537d50779b9127e5baad

SHA1
4603eb01856afc17d2a2a7761efafb050bfdb2d4

SHA256
c0cbe7b766ee1d3fcdb4e89059e115856159b128490f6f1387684eddf0b2054c

SHA512
a3d158ffe86a9c899c1ff858b7f8cc035034220694715b28dba8ef7122fb54c52d818522d206451b800c0d792b30a8de7b1a6b33e5e0b66533e15a3a19f61ff3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pog5kdua\pog5kdua.0.cs

Filesize
5KB

MD5
7327c4ad223fe0791d7c523b8a1f06be

SHA1
148b97c8c52e904cda3a76e140945f467669c304

SHA256
39caf78c097f1377287730f17d4929757566f10bf355ce4a1690d541d2f20ad1

SHA512
c8214f55f7d6a524db6eda4e690cc429b8a9e497784dcf344a719d89dc44947f611169c95344c400dfaff84de3bb5ee01114d59fc8c9dcd0bedc71ee24a94c96

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pog5kdua\pog5kdua.cmdline

Filesize
248B

MD5
01fc9350c0b7fc9baf79d7f84094c91a

SHA1
60c65d4919137898f896f8379a0e7645d5c48eef

SHA256
32a469d0a08c7d50205611b763c0694f149c8684b45e0df431d961a2177af754

SHA512
31e00585a5ee402d4af1842ea54038c8d0a317192971d9ee331f54e0faf37b5db2e1518ea94ad9c31b839fc9f2897bf57fc7bca713a8f34a7e7b02a6e5010057

Download Submit
memory/1620-19-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/1620-35-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/1620-1-0x0000000000D90000-0x0000000000E0E000-memory.dmp

Filesize
504KB

Download
memory/1620-17-0x0000000000200000-0x0000000000208000-memory.dmp

Filesize
32KB

Download
memory/1620-0-0x000000007413E000-0x000000007413F000-memory.dmp

Filesize
4KB

Download
memory/1620-20-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/1620-23-0x0000000000CF0000-0x0000000000D46000-memory.dmp

Filesize
344KB

Download
memory/1620-6-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-24-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2504-25-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2504-30-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2504-32-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2504-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2504-27-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2504-34-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2504-26-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing