imminent | 2b840ed4df72c857084148fd16b191bdee7cff55e3b0ddd94224e97591db5fe7

General

Target

3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe
Size

876KB
MD5

3609c501d71a7784fd86305b10b67fc3
SHA1

c6cfbd50341f7757b7d81bd932973042d4c2cf1e
SHA256

2b840ed4df72c857084148fd16b191bdee7cff55e3b0ddd94224e97591db5fe7
SHA512

791adad02a96e4732d47c894cf4fea71df5211a1e890bf6c063a5cf38329f5be3d5caa2bca03bb4ee247708009af61dd84dae056d83da18718a24302cff0b69e
SSDEEP

12288:BO5XlyKR9n6WXoNZU3kpnrm+uG4s/dx93n1AxVKXFsLVdjOZhSBlTQFO5:BONnrXLkpnaIV3nvFAOZ0BlcFO5

Score

10^/10

imminent zgrat agilenet persistence rat spyware trojan

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/1952-2-0x0000000001F70000-0x0000000001FA8000-memory.dmp	family_zgrat_v1

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/1952-2-0x0000000001F70000-0x0000000001FA8000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Servicis = "C:\\Users\\Admin\\AppData\\Roaming\\win\\Servicis.exe"	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Servicis = "\\win\\Servicis.exe"	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1952 set thread context of 2888	1952	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe	30

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2888	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe
Token: SeDebugPrivilege	2888	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe
Token: 33	2888	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2888	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2888	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2888	1952	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe	30
PID 1952 wrote to memory of 2888	1952	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe	30
PID 1952 wrote to memory of 2888	1952	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe	30
PID 1952 wrote to memory of 2888	1952	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe	30
PID 1952 wrote to memory of 2888	1952	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe	30
PID 1952 wrote to memory of 2888	1952	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe	30
PID 1952 wrote to memory of 2888	1952	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe	30
PID 1952 wrote to memory of 2888	1952	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe	30
PID 1952 wrote to memory of 2888	1952	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2888

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Imminent\Path.dat

Filesize
47B

MD5
3b3300a17860593cd56c4bdb053a35f7

SHA1
a8592ae24551fe35a4df8fd6b48ac81a41327290

SHA256
81e4febef2dd5de0dec846a9c28210ed8adbb3cdd69866e449e8481f3c02da25

SHA512
7be75a902ac5fd084032c394e8e0440965b67a8d3e6f9cb35a3a431abeddfeec6ad064d6544dd5483f56554f4bf68579ae50c987035c894a230ff0f54b3e0edb

Download Submit
memory/1952-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/1952-1-0x0000000000960000-0x0000000000A44000-memory.dmp

Filesize
912KB

Download
memory/1952-2-0x0000000001F70000-0x0000000001FA8000-memory.dmp

Filesize
224KB

Download
memory/1952-3-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/1952-4-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/1952-5-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/1952-6-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/1952-13-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2888-14-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2888-11-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2888-9-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2888-15-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2888-12-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/2888-16-0x0000000004EF0000-0x0000000004F9E000-memory.dmp

Filesize
696KB

Download
memory/2888-17-0x00000000003C0000-0x00000000003E8000-memory.dmp

Filesize
160KB

Download
memory/2888-20-0x00000000006A0000-0x00000000006B6000-memory.dmp

Filesize
88KB

Download
memory/2888-7-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2888-43-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2888-47-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads