imminent | 67d8793f47d5f705d7cc7e1bf8db01f7262b128a7e9dce0e5a5b7e4cb3499dfe

General

Target

2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe
Size

651KB
MD5

2da7dbf004627acb33ca903770a3ed23
SHA1

ea09cc067c2adcfa36b4fd167954a79f960432c3
SHA256

67d8793f47d5f705d7cc7e1bf8db01f7262b128a7e9dce0e5a5b7e4cb3499dfe
SHA512

00b1ac01c9d338e4ee67a30a7123417e6dbe1790f47d55412dd7a61587eaf21e70cb6005ea3d004cefdac5e296f65d9531ba68defa54cdf7dace8e08f1316590
SSDEEP

12288:4RpHE9jQpu/SlV5FK1sfKV8s+xpfUTPaGnnVinH/pMNFSWPHNZZ34MFBG2A:wpk9jQM/6ZU8s+rmCGnc/pZ2HNYMjxA

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aUSBKN.url	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2940 set thread context of 536	2940	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	88

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	RegAsm.exe
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2940	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe
2940	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe
2940	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe
2940	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
536	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe
Token: SeDebugPrivilege	536	RegAsm.exe
Token: 33	536	RegAsm.exe
Token: SeIncBasePriorityPrivilege	536	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
536	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 3648	2940	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	84
PID 2940 wrote to memory of 3648	2940	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	84
PID 2940 wrote to memory of 3648	2940	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	84
PID 3648 wrote to memory of 4232	3648	csc.exe	86
PID 3648 wrote to memory of 4232	3648	csc.exe	86
PID 3648 wrote to memory of 4232	3648	csc.exe	86
PID 2940 wrote to memory of 4028	2940	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	87
PID 2940 wrote to memory of 4028	2940	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	87
PID 2940 wrote to memory of 4028	2940	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	87
PID 2940 wrote to memory of 536	2940	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	88
PID 2940 wrote to memory of 536	2940	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	88
PID 2940 wrote to memory of 536	2940	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	88
PID 2940 wrote to memory of 536	2940	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	88
PID 2940 wrote to memory of 536	2940	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	88
PID 2940 wrote to memory of 536	2940	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	88
PID 2940 wrote to memory of 536	2940	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	88
PID 2940 wrote to memory of 536	2940	2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2da7dbf004627acb33ca903770a3ed23_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lil5ry3w\lil5ry3w.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES442D.tmp" "c:\Users\Admin\AppData\Local\Temp\lil5ry3w\CSCAC815D1E6AD6407B8D8C23654A1715CB.TMP"
    3⤵
    PID:4232
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:4028
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:536

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES442D.tmp

Filesize
1KB

MD5
ebd5125606c996325a1e1186d1820e27

SHA1
952cc89863cda46930fd935671d4d40352e524f3

SHA256
032ac4029729ecef1711d7546b81e0ddac9755e93144b1268e0020eae69c9d52

SHA512
cb388fd3aefc90572d8d47d804c07b6a04a3edccf6041607ddd0cc823a70df63ec065ce89f76cef9601debca46829cc1fc031975edd28aa8bc0bbe8ff2474181

Download Submit
C:\Users\Admin\AppData\Local\Temp\lil5ry3w\lil5ry3w.dll

Filesize
19KB

MD5
e4cf562ff8aeff34c2b31b9dee387703

SHA1
3678a8216511e11961a74f88585094cb48806d4b

SHA256
e8dca0346aba30904013f015703b25b67a1f5a8bc4b110d3747281da463061d9

SHA512
cdc7a8208d4c65603e9bda750c1fc5c48c4368e9ce067418fe7c4bde435b23c37ed1c12acfef6683863ed2e79d93084d1a379cd80376ed45203965168261767a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lil5ry3w\lil5ry3w.pdb

Filesize
63KB

MD5
04bf02184f17d6144dc046563f1500ec

SHA1
a8b7caf637037bb1f327d62dd5d323643660f406

SHA256
daca49120e75aad42ccde04dd4c71c1b6ac1bd64aca89e9d2e45d867f8587e2c

SHA512
dc79a37f45f58cd053b08c79d05356babe54133d0a09f08465d4c8d5d547dcbc172936a6ba644bfaad03c014fa5a3599cb567886ee45d350591102e0b7b03511

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lil5ry3w\CSCAC815D1E6AD6407B8D8C23654A1715CB.TMP

Filesize
1KB

MD5
b1b619bdfb28e3300e0b3ec373c11158

SHA1
a5f349dd6098f02ed6603d8ea0e8153b4d796cd6

SHA256
a74f3ad4b9c83bf8965ed5928551b9efeac36fd7dc06fce49907a6c06911daa1

SHA512
8baf2e843550e2d6eb1c6d282e9652758dd6b3c71ed3871288a25ebe7a893678edad6e8ae8e2adbfc63cd61f6c124247fdeedbf1c4526a39a5facf9126b716c9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lil5ry3w\lil5ry3w.0.cs

Filesize
42KB

MD5
10243da63aeb9c410422bbdf64bb3e0a

SHA1
5c80f6c21367f9a31b4672722dcb6c75ae074690

SHA256
78b7aa42b7ecf0716fe40a9457b801bc735ff1073297afb9b718e1ba699d35bf

SHA512
e89c77ee647b1cc81796cfdf96263c7537b5d3cc5fb433161f367699a6607e216152fecd1ecd25f151ad283f8dbc8bbf74457d451f0bb36e1ccde760bb71e342

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lil5ry3w\lil5ry3w.cmdline

Filesize
312B

MD5
a9e8549a722846ddd91df1de2eeda4c4

SHA1
92518ef606159ee2f0c53723a32bad5e8efbe4cf

SHA256
0ba70df006c212b6dba003059983111911919c2fdea78972e310cccdf98b8b69

SHA512
93a83c00fbafa473b9156df1a663c9d324a2e153f8170a0fb069e03346e9aac267c9252c8fe7172a49c98ead06b0387d8834c0526f3aa508dd5e7537e1779c8e

Download Submit
memory/536-26-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/536-29-0x0000000074F82000-0x0000000074F83000-memory.dmp

Filesize
4KB

Download
memory/536-40-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/536-39-0x0000000074F82000-0x0000000074F83000-memory.dmp

Filesize
4KB

Download
memory/536-31-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/536-30-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/2940-24-0x0000000005090000-0x00000000050E6000-memory.dmp

Filesize
344KB

Download
memory/2940-5-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/2940-25-0x0000000005190000-0x000000000522C000-memory.dmp

Filesize
624KB

Download
memory/2940-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/2940-28-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/2940-21-0x0000000004B20000-0x0000000004B2C000-memory.dmp

Filesize
48KB

Download
memory/2940-20-0x0000000004D40000-0x0000000004DA0000-memory.dmp

Filesize
384KB

Download
memory/2940-19-0x0000000004B60000-0x0000000004BF2000-memory.dmp

Filesize
584KB

Download
memory/2940-17-0x00000000024C0000-0x00000000024CC000-memory.dmp

Filesize
48KB

Download
memory/2940-1-0x00000000001B0000-0x000000000025A000-memory.dmp

Filesize
680KB

Download

Analysis

Sharing