imminent | 88524f717ebc55d29998e05aaab0423af4be4617435086f9cef71bcbad819c45

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 04:13

Target

587e2bf883c6fbb146097e58de903cd1_JaffaCakes118.exe
Size

529KB
MD5

587e2bf883c6fbb146097e58de903cd1
SHA1

d6bef496d9070cf7c67f524ecbba1f15ba2f7c1d
SHA256

88524f717ebc55d29998e05aaab0423af4be4617435086f9cef71bcbad819c45
SHA512

126eb038803afe5074e788982e36a86121306dee2cf61263a41106e90f8cd4c27d1a746cda7ec7875cc7a10be837839d7658169b43af0920bbb8a0b5b0f51e40
SSDEEP

12288:G0UkdQ5ZGS4meNdQZguDTiljYvF5YlWAl7O8ojlaRe1ULsWSbyCOoSgW+rs415AF:G0UL5UN/NdQZgh+zHI

Score

10^/10

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	587e2bf883c6fbb146097e58de903cd1_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	587e2bf883c6fbb146097e58de903cd1_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 228 set thread context of 2012	228	587e2bf883c6fbb146097e58de903cd1_JaffaCakes118.exe	83

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	587e2bf883c6fbb146097e58de903cd1_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	587e2bf883c6fbb146097e58de903cd1_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	587e2bf883c6fbb146097e58de903cd1_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2012	587e2bf883c6fbb146097e58de903cd1_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	587e2bf883c6fbb146097e58de903cd1_JaffaCakes118.exe
Token: 33	2012	587e2bf883c6fbb146097e58de903cd1_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2012	587e2bf883c6fbb146097e58de903cd1_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2012	587e2bf883c6fbb146097e58de903cd1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 2012	228	587e2bf883c6fbb146097e58de903cd1_JaffaCakes118.exe	83
PID 228 wrote to memory of 2012	228	587e2bf883c6fbb146097e58de903cd1_JaffaCakes118.exe	83
PID 228 wrote to memory of 2012	228	587e2bf883c6fbb146097e58de903cd1_JaffaCakes118.exe	83
PID 228 wrote to memory of 2012	228	587e2bf883c6fbb146097e58de903cd1_JaffaCakes118.exe	83
PID 228 wrote to memory of 2012	228	587e2bf883c6fbb146097e58de903cd1_JaffaCakes118.exe	83
PID 228 wrote to memory of 2012	228	587e2bf883c6fbb146097e58de903cd1_JaffaCakes118.exe	83
PID 228 wrote to memory of 2012	228	587e2bf883c6fbb146097e58de903cd1_JaffaCakes118.exe	83
PID 228 wrote to memory of 2012	228	587e2bf883c6fbb146097e58de903cd1_JaffaCakes118.exe	83

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:980

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\587e2bf883c6fbb146097e58de903cd1_JaffaCakes118.exe.log

Filesize
319B

MD5
a4da81a3544d9cd85f257967c0a431fe

SHA1
ba6f59ae5c6a2674a1fda758b5ded92f76d5edb3

SHA256
ad372efe5e610b9c2a331ac8f17f83542ef78b92c875c206d76c84e158fb271e

SHA512
12348d4cb4b6534a43f122d18fc7276c524c5b7e8f242f446eefb4d2ffea8018aed53a854cb840b2f30669caf74d14daff4276c6676a15221c58c84b210d393f

Download Submit
memory/228-0-0x0000000075272000-0x0000000075273000-memory.dmp

Filesize
4KB

Download
memory/228-1-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/228-2-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/228-7-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/2012-3-0x0000000000450000-0x0000000000470000-memory.dmp

Filesize
128KB

Download
memory/2012-6-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/2012-8-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/2012-9-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/2012-17-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/2012-18-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download
memory/2012-19-0x0000000075270000-0x0000000075821000-memory.dmp

Filesize
5.7MB

Download