imminent | 2b840ed4df72c857084148fd16b191bdee7cff55e3b0ddd94224e97591db5fe7

General

Target

3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe
Size

876KB
MD5

3609c501d71a7784fd86305b10b67fc3
SHA1

c6cfbd50341f7757b7d81bd932973042d4c2cf1e
SHA256

2b840ed4df72c857084148fd16b191bdee7cff55e3b0ddd94224e97591db5fe7
SHA512

791adad02a96e4732d47c894cf4fea71df5211a1e890bf6c063a5cf38329f5be3d5caa2bca03bb4ee247708009af61dd84dae056d83da18718a24302cff0b69e
SSDEEP

12288:BO5XlyKR9n6WXoNZU3kpnrm+uG4s/dx93n1AxVKXFsLVdjOZhSBlTQFO5:BONnrXLkpnaIV3nvFAOZ0BlcFO5

Score

10^/10

imminent zgrat agilenet persistence rat spyware trojan

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/1312-4-0x0000000005620000-0x0000000005658000-memory.dmp	family_zgrat_v1

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/1312-4-0x0000000005620000-0x0000000005658000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Servicis = "\\win\\Servicis.exe"	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Servicis = "C:\\Users\\Admin\\AppData\\Roaming\\win\\Servicis.exe"	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1312 set thread context of 4716	1312	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe	96

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4716	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1312	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe
Token: SeDebugPrivilege	4716	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe
Token: 33	4716	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4716	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4716	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 4716	1312	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe	96
PID 1312 wrote to memory of 4716	1312	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe	96
PID 1312 wrote to memory of 4716	1312	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe	96
PID 1312 wrote to memory of 4716	1312	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe	96
PID 1312 wrote to memory of 4716	1312	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe	96
PID 1312 wrote to memory of 4716	1312	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe	96
PID 1312 wrote to memory of 4716	1312	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe	96
PID 1312 wrote to memory of 4716	1312	3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4716

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3609c501d71a7784fd86305b10b67fc3_JaffaCakes118.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Roaming\Imminent\Path.dat

Filesize
47B

MD5
3b3300a17860593cd56c4bdb053a35f7

SHA1
a8592ae24551fe35a4df8fd6b48ac81a41327290

SHA256
81e4febef2dd5de0dec846a9c28210ed8adbb3cdd69866e449e8481f3c02da25

SHA512
7be75a902ac5fd084032c394e8e0440965b67a8d3e6f9cb35a3a431abeddfeec6ad064d6544dd5483f56554f4bf68579ae50c987035c894a230ff0f54b3e0edb

Download Submit
memory/1312-10-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/1312-3-0x0000000005580000-0x0000000005612000-memory.dmp

Filesize
584KB

Download
memory/1312-4-0x0000000005620000-0x0000000005658000-memory.dmp

Filesize
224KB

Download
memory/1312-5-0x0000000005560000-0x0000000005566000-memory.dmp

Filesize
24KB

Download
memory/1312-6-0x0000000005050000-0x000000000505A000-memory.dmp

Filesize
40KB

Download
memory/1312-7-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/1312-8-0x0000000009160000-0x00000000091FC000-memory.dmp

Filesize
624KB

Download
memory/1312-1-0x0000000000AF0000-0x0000000000BD4000-memory.dmp

Filesize
912KB

Download
memory/1312-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/1312-2-0x0000000005C60000-0x0000000006204000-memory.dmp

Filesize
5.6MB

Download
memory/1312-14-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/4716-13-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/4716-15-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/4716-17-0x00000000085C0000-0x00000000085E8000-memory.dmp

Filesize
160KB

Download
memory/4716-16-0x0000000005190000-0x000000000523E000-memory.dmp

Filesize
696KB

Download
memory/4716-18-0x00000000072C0000-0x0000000007326000-memory.dmp

Filesize
408KB

Download
memory/4716-19-0x00000000078C0000-0x00000000078D8000-memory.dmp

Filesize
96KB

Download
memory/4716-22-0x0000000007A50000-0x0000000007A66000-memory.dmp

Filesize
88KB

Download
memory/4716-9-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4716-46-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/4716-50-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads