imminent | 8e8941c4436c0c4666d8eb89429be7421341f051e1b07a73379c0505a9feeafe

General

Target

20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe
Size

485KB
MD5

20833d55ee686ee4b5e3dca815a71cfe
SHA1

9c44d4c2094dbe462a32d83e784ba30ed3526ee5
SHA256

8e8941c4436c0c4666d8eb89429be7421341f051e1b07a73379c0505a9feeafe
SHA512

2fcd668074474808b7130c34d888bd92be688794c4bb05b58ebad19565b7377ce69ad4ab729303401621718c9e4e3c44f17684d48a91a39684b4b9c0d948c7ef
SSDEEP

12288:ITpppppppp/ppppppppppppppppppppppppppppppppppppppppcbW26hcshXq9R:IyWFhz1q9NQ89qGEoE8yG

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TAQOna.url	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4472 set thread context of 2940	4472	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	89

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	RegAsm.exe
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4472	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe
4472	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2940	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4472	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe
Token: SeDebugPrivilege	2940	RegAsm.exe
Token: 33	2940	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2940	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2940	RegAsm.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 4568	4472	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	85
PID 4472 wrote to memory of 4568	4472	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	85
PID 4472 wrote to memory of 4568	4472	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	85
PID 4568 wrote to memory of 2352	4568	csc.exe	87
PID 4568 wrote to memory of 2352	4568	csc.exe	87
PID 4568 wrote to memory of 2352	4568	csc.exe	87
PID 4472 wrote to memory of 2940	4472	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	89
PID 4472 wrote to memory of 2940	4472	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	89
PID 4472 wrote to memory of 2940	4472	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	89
PID 4472 wrote to memory of 2940	4472	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	89
PID 4472 wrote to memory of 2940	4472	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	89
PID 4472 wrote to memory of 2940	4472	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	89
PID 4472 wrote to memory of 2940	4472	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	89
PID 4472 wrote to memory of 2940	4472	20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1tobw2vm\1tobw2vm.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3345.tmp" "c:\Users\Admin\AppData\Local\Temp\1tobw2vm\CSCB1DA8AD6CAA4C52B0D55BB7228132D3.TMP"
    3⤵
    PID:2352
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2940

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1tobw2vm\1tobw2vm.dll

Filesize
7KB

MD5
d5af38f3a241f2a9af34f2334d309517

SHA1
91e017a1760dd645b3fa8817c4027aa61c7063f8

SHA256
8bb9b812d17b486f42f4c677702ea26bd3cbf11ef600aae538484e603ec59daa

SHA512
d75507e2c5c161ec5dc5a2b9237d960b5c547c822b85332af335c3ad0861aae6d4d7edd2a3f0f387efc735b1bb6680565ab9c30143e24b40f577dce736eada2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1tobw2vm\1tobw2vm.pdb

Filesize
23KB

MD5
4c79802722827f414420be2cdcdc559e

SHA1
601e88dd60135952e73678b81723b2472675f5f2

SHA256
5999d7d030e71315dabd8b050c88cdb13e8fae1a92a9a5df772cd74ea5fc33e5

SHA512
b22bb51cec3a740df0f3661bd7262b780a9e930ce2a2463b37d2c6b1f044f1d9059aa8b3953414cd4db59c2b1d0da04fdd8e84f874d2857a135e9eacc0ad4a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3345.tmp

Filesize
1KB

MD5
2faef469509ed8c306a984b59930e66a

SHA1
04eda1eb0550fe4fb2151a0efcf93553cebbf786

SHA256
417b238e9991f236acc36d015921710e902e348a36ffadebe8c5bde9a7f0dbe0

SHA512
92e6cea6b70d82ba249477e632b9695b2f50ddc8bb724042de5dd0e375a326100623d27b7a65db7f3ac7e79840a35731eca45472a3e71fd363c735d5051e5ecd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1tobw2vm\1tobw2vm.0.cs

Filesize
5KB

MD5
7327c4ad223fe0791d7c523b8a1f06be

SHA1
148b97c8c52e904cda3a76e140945f467669c304

SHA256
39caf78c097f1377287730f17d4929757566f10bf355ce4a1690d541d2f20ad1

SHA512
c8214f55f7d6a524db6eda4e690cc429b8a9e497784dcf344a719d89dc44947f611169c95344c400dfaff84de3bb5ee01114d59fc8c9dcd0bedc71ee24a94c96

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1tobw2vm\1tobw2vm.cmdline

Filesize
248B

MD5
c30d8edfe123272a47dd8df81bca46f3

SHA1
1000848500b08151d82c5c5de7c0e3bc53025269

SHA256
93365c9365e3844b56adf6964887f2d5adfb3f9d6b938902c65811edf7ee15d8

SHA512
5fb1d45248eb78231ccfb2a94831d9127e13e92ec287ef8ef47148ff388ba2d3d1c12ffd6608cee0163b554aa175856819206e6696087c260f586529ec9a85c2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1tobw2vm\CSCB1DA8AD6CAA4C52B0D55BB7228132D3.TMP

Filesize
1KB

MD5
1f23e667a9b08ff9a395bd7bd71a0239

SHA1
e5d028959010b7884a9b73dca1d4d601e67f7b68

SHA256
4fa6d8e1a046e81fe41d4209fb774496c3c179cd76e0901767a7ca741285e5f2

SHA512
5146f4950e248c8cbee24ae7a219cfbac0f99c8b3fff5a579fa8cf58ad6d3f03b1abf61bf796d2645784f5a0b9562d3b1310d92c4af6256be2f83f4220f95176

Download Submit
memory/2940-26-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2940-41-0x0000000073FC0000-0x0000000074571000-memory.dmp

Filesize
5.7MB

Download
memory/2940-40-0x0000000073FC0000-0x0000000074571000-memory.dmp

Filesize
5.7MB

Download
memory/2940-39-0x0000000073FC2000-0x0000000073FC3000-memory.dmp

Filesize
4KB

Download
memory/2940-31-0x0000000073FC0000-0x0000000074571000-memory.dmp

Filesize
5.7MB

Download
memory/2940-30-0x0000000073FC0000-0x0000000074571000-memory.dmp

Filesize
5.7MB

Download
memory/2940-29-0x0000000073FC2000-0x0000000073FC3000-memory.dmp

Filesize
4KB

Download
memory/4472-1-0x0000000000D20000-0x0000000000D9E000-memory.dmp

Filesize
504KB

Download
memory/4472-25-0x0000000005E00000-0x0000000005E9C000-memory.dmp

Filesize
624KB

Download
memory/4472-24-0x0000000005D00000-0x0000000005D56000-memory.dmp

Filesize
344KB

Download
memory/4472-28-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/4472-21-0x00000000056B0000-0x00000000056BC000-memory.dmp

Filesize
48KB

Download
memory/4472-20-0x0000000005970000-0x00000000059D0000-memory.dmp

Filesize
384KB

Download
memory/4472-0-0x000000007458E000-0x000000007458F000-memory.dmp

Filesize
4KB

Download
memory/4472-5-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/4472-17-0x00000000030E0000-0x00000000030E8000-memory.dmp

Filesize
32KB

Download
memory/4472-19-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing