imminent | 7b06aa6735ae3956748e9fee4994b459dea5bcd64abbd85c15ef8a9f874c6cea

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe
Size

720KB
MD5

5aa6faa9faa35e97f9527e74b225a3e8
SHA1

470b643745f6bf44cb09e8162d7120adcfd71e60
SHA256

7b06aa6735ae3956748e9fee4994b459dea5bcd64abbd85c15ef8a9f874c6cea
SHA512

6b29db274b46b5675d3c508b4e605e3f6a1c5e15bb7b07ed92020af2e90551b46a6f06284d232c5756c77b66213c99f3cc0d70b0d31c6eacf1910994221c521b
SSDEEP

12288:gwih9pFaczF1wAgyNeemCGnknz+A/1Hrj5/db2zHQdj+U:2pFdz3BeemC3vXFb27Qdj

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
2768	tmp.exe

Loads dropped DLL 3 IoCs

pid	Process
2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe
2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe
2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2276 set thread context of 2540	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2836	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe
2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe
2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2768	tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe
Token: SeDebugPrivilege	2768	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2768	tmp.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2080	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	28
PID 2276 wrote to memory of 2080	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	28
PID 2276 wrote to memory of 2080	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	28
PID 2276 wrote to memory of 2080	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	28
PID 2080 wrote to memory of 2516	2080	cmd.exe	30
PID 2080 wrote to memory of 2516	2080	cmd.exe	30
PID 2080 wrote to memory of 2516	2080	cmd.exe	30
PID 2080 wrote to memory of 2516	2080	cmd.exe	30
PID 2276 wrote to memory of 2768	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2768	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2768	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2768	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2540	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2540	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2540	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2540	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2540	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2540	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2540	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2540	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2540	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2484	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	33
PID 2276 wrote to memory of 2484	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	33
PID 2276 wrote to memory of 2484	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	33
PID 2276 wrote to memory of 2484	2276	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	33
PID 2484 wrote to memory of 2836	2484	cmd.exe	35
PID 2484 wrote to memory of 2836	2484	cmd.exe	35
PID 2484 wrote to memory of 2836	2484	cmd.exe	35
PID 2484 wrote to memory of 2836	2484	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Folderw\winup.exe.lnk " /f
    3⤵
    PID:2516
- C:\Users\Admin\AppData\Roaming\tmp.exe
  "C:\Users\Admin\AppData\Roaming\tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe"
  2⤵
  PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\Folderw\winup.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - Delays execution with timeout.exe
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Folderw\winup.exe

Filesize
720KB

MD5
5aa6faa9faa35e97f9527e74b225a3e8

SHA1
470b643745f6bf44cb09e8162d7120adcfd71e60

SHA256
7b06aa6735ae3956748e9fee4994b459dea5bcd64abbd85c15ef8a9f874c6cea

SHA512
6b29db274b46b5675d3c508b4e605e3f6a1c5e15bb7b07ed92020af2e90551b46a6f06284d232c5756c77b66213c99f3cc0d70b0d31c6eacf1910994221c521b

Download Submit
C:\Users\Admin\AppData\Roaming\Folderw\winup.exe.bat

Filesize
190B

MD5
6fce4665f78683ad44cdf91f6feb74ff

SHA1
79f17cb3fcc259ecdd1465a6cc36f7751313079e

SHA256
b9347d7fc0616e71c7a224ae320cc2828442a8fd3600039bf13d29f7150133fd

SHA512
6d27d5b47a942d1cfcea32b74958474eb577c1b94a6609654c972d2663491c9f56294f8b99156bcf8a7e9d145f46b2be031352ad72cf455c0c2b3f7538f790e6

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
440KB

MD5
387ee6ca07273f7901c7f089d4a9d786

SHA1
36c44944510aae9ae0efe4ea9f70aeac38510f29

SHA256
09b1e63aac8edb4c79bfaab37726d56f906452c93ca2f8705c9893093d6cc599

SHA512
18e41f519ec776867636618e7b4239e58598c5b24e40e17f8f1e0a42b48b5e9fb0b69a9ec560e17a49e5cabd9c72b61b757b82b9140e1541ed4b7e8559db0a34

Download Submit
memory/2276-1-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/2276-2-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/2276-64-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/2276-0-0x0000000074341000-0x0000000074342000-memory.dmp

Filesize
4KB

Download
memory/2540-34-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2540-61-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2540-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2540-25-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2540-23-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2540-21-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2540-19-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2540-33-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2540-45-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2540-46-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2540-48-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2540-60-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2540-63-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2540-28-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2540-54-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2540-53-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2540-49-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2540-47-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2540-44-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2540-58-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2540-55-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2540-50-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2768-31-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/2768-30-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/2768-29-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/2768-67-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download