imminent | 67d8793f47d5f705d7cc7e1bf8db01f7262b128a7e9dce0e5a5b7e4cb3499dfe

General

Target

2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe
Size

651KB
MD5

2da7dbf004627acb33ca903770a3ed23
SHA1

ea09cc067c2adcfa36b4fd167954a79f960432c3
SHA256

67d8793f47d5f705d7cc7e1bf8db01f7262b128a7e9dce0e5a5b7e4cb3499dfe
SHA512

00b1ac01c9d338e4ee67a30a7123417e6dbe1790f47d55412dd7a61587eaf21e70cb6005ea3d004cefdac5e296f65d9531ba68defa54cdf7dace8e08f1316590
SSDEEP

12288:4RpHE9jQpu/SlV5FK1sfKV8s+xpfUTPaGnnVinH/pMNFSWPHNZZ34MFBG2A:wpk9jQM/6ZU8s+rmCGnc/pZ2HNYMjxA

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aUSBKN.url	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 944 set thread context of 2692	944	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
944	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe
944	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2692	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	944	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe
Token: SeDebugPrivilege	2692	RegAsm.exe
Token: 33	2692	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2692	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2692	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 1936	944	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	28
PID 944 wrote to memory of 1936	944	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	28
PID 944 wrote to memory of 1936	944	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	28
PID 944 wrote to memory of 1936	944	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	28
PID 1936 wrote to memory of 1152	1936	csc.exe	30
PID 1936 wrote to memory of 1152	1936	csc.exe	30
PID 1936 wrote to memory of 1152	1936	csc.exe	30
PID 1936 wrote to memory of 1152	1936	csc.exe	30
PID 944 wrote to memory of 2692	944	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	31
PID 944 wrote to memory of 2692	944	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	31
PID 944 wrote to memory of 2692	944	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	31
PID 944 wrote to memory of 2692	944	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	31
PID 944 wrote to memory of 2692	944	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	31
PID 944 wrote to memory of 2692	944	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	31
PID 944 wrote to memory of 2692	944	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	31
PID 944 wrote to memory of 2692	944	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	31
PID 944 wrote to memory of 2692	944	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	31
PID 944 wrote to memory of 2692	944	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	31
PID 944 wrote to memory of 2692	944	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	31
PID 944 wrote to memory of 2692	944	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vfkqye4i\vfkqye4i.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCB6.tmp" "c:\Users\Admin\AppData\Local\Temp\vfkqye4i\CSC2CBD4F2C17284BF8A5C0A04BC5D26C28.TMP"
    3⤵
    PID:1152
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2692

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFCB6.tmp

Filesize
1KB

MD5
ee4235b674f0024e5fb46a12d868cab3

SHA1
676c7f92020f0aa7e69aa951be4eb4fd52a6352e

SHA256
91e76918870601c838b82cd1d2a972535838784d898930e6ee5eb89cdd2b3b0c

SHA512
b3925cbd7a1f017b520bd5c50e6bfd911735287cfb9f2aa4e475d312ec5da7b2825b728a0b8daaf9ffe787ed1fd9e9af6861c16bc5e62f6a55ba02fd1565a8cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vfkqye4i\vfkqye4i.dll

Filesize
19KB

MD5
e81b256d41dcb76aeb7fbfe679d1427a

SHA1
14fdd468b6453a36e00802a5ff9ba72fc88b222a

SHA256
65c6e3f918b0d79b25fa5d504f1bebf5c07a8b31fd3ef891b446d598e8538461

SHA512
06dc48c8f8a1ea9ef62687af48f2410077f0d9fd5b84a1ad7e4ae1547c751a6cc93616b393ad10300c9146e040adb522ab8259c227112e564f1fcfc48afb4850

Download Submit
C:\Users\Admin\AppData\Local\Temp\vfkqye4i\vfkqye4i.pdb

Filesize
63KB

MD5
4495b88bfe0284fd32f6bedc566d9887

SHA1
587c49d57a5399d9de9b17bc80e770add6004a6b

SHA256
803fcab0d9631331ce083221126dd158e3ef42e504918f71e563fc7adf5f4fcf

SHA512
94376ef8e06f9c64906e50f5e806c83f50f835a0788f1b7dc60e121faa81dbc17b32e951d97411330895412c77311a2c21a7127c135c6db178103584b4d1b32a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vfkqye4i\CSC2CBD4F2C17284BF8A5C0A04BC5D26C28.TMP

Filesize
1KB

MD5
d4cdf558109ccd96c8b1d3297b98871b

SHA1
d5baf69fc78b8f0a2b7518ce5d1b5292915a7e6f

SHA256
377a4dde1f5471c3ec0f39c128415f7eca6ffc4ffea364c196d914cc622092ee

SHA512
27985dd3bdd49f537281c9d5fb399b32bf3c3d637898871f8cc156e8601dbb401c60f119d65ac9d4c6706eba9ae3d20df9fa0d6c6bd90188da8486a29658880d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vfkqye4i\vfkqye4i.0.cs

Filesize
42KB

MD5
10243da63aeb9c410422bbdf64bb3e0a

SHA1
5c80f6c21367f9a31b4672722dcb6c75ae074690

SHA256
78b7aa42b7ecf0716fe40a9457b801bc735ff1073297afb9b718e1ba699d35bf

SHA512
e89c77ee647b1cc81796cfdf96263c7537b5d3cc5fb433161f367699a6607e216152fecd1ecd25f151ad283f8dbc8bbf74457d451f0bb36e1ccde760bb71e342

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vfkqye4i\vfkqye4i.cmdline

Filesize
312B

MD5
17eecb6d708dfc7122656bd468ac77aa

SHA1
a1a3c89b9d9a3d710bf3fd6e1a15a0739ebb6ce3

SHA256
238103b2a7755dacb1d2d22abc9ea7c32dc07f57c9c36f3be60da203a94a1652

SHA512
483de44a39a7759b56bfa1a735a5d6480ff2de2f0212a28c1e3ef1bc238cff2c239cf8fe41361c8963928100c39d26a75442f1f0a6c965f19a19b7a39cd033ad

Download Submit
memory/944-19-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/944-37-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/944-1-0x0000000000CD0000-0x0000000000D7A000-memory.dmp

Filesize
680KB

Download
memory/944-17-0x00000000008E0000-0x00000000008EC000-memory.dmp

Filesize
48KB

Download
memory/944-0-0x0000000073FDE000-0x0000000073FDF000-memory.dmp

Filesize
4KB

Download
memory/944-20-0x00000000009E0000-0x00000000009EC000-memory.dmp

Filesize
48KB

Download
memory/944-23-0x0000000004450000-0x00000000044A6000-memory.dmp

Filesize
344KB

Download
memory/944-5-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2692-25-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2692-24-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2692-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2692-32-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2692-36-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2692-34-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2692-28-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2692-26-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing