imminent | 7b06aa6735ae3956748e9fee4994b459dea5bcd64abbd85c15ef8a9f874c6cea

General

Target

5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe
Size

720KB
MD5

5aa6faa9faa35e97f9527e74b225a3e8
SHA1

470b643745f6bf44cb09e8162d7120adcfd71e60
SHA256

7b06aa6735ae3956748e9fee4994b459dea5bcd64abbd85c15ef8a9f874c6cea
SHA512

6b29db274b46b5675d3c508b4e605e3f6a1c5e15bb7b07ed92020af2e90551b46a6f06284d232c5756c77b66213c99f3cc0d70b0d31c6eacf1910994221c521b
SSDEEP

12288:gwih9pFaczF1wAgyNeemCGnknz+A/1Hrj5/db2zHQdj+U:2pFdz3BeemC3vXFb27Qdj

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4368	tmp.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	tmp.exe
File created	C:\Windows\assembly\Desktop.ini	tmp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 392 set thread context of 4704	392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	98

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	tmp.exe
File created	C:\Windows\assembly\Desktop.ini	tmp.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3012	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe
392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe
392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4368	tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe
Token: SeDebugPrivilege	4368	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4368	tmp.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 1788	392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	94
PID 392 wrote to memory of 1788	392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	94
PID 392 wrote to memory of 1788	392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	94
PID 1788 wrote to memory of 2752	1788	cmd.exe	96
PID 1788 wrote to memory of 2752	1788	cmd.exe	96
PID 1788 wrote to memory of 2752	1788	cmd.exe	96
PID 392 wrote to memory of 4368	392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	97
PID 392 wrote to memory of 4368	392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	97
PID 392 wrote to memory of 4368	392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	97
PID 392 wrote to memory of 4704	392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	98
PID 392 wrote to memory of 4704	392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	98
PID 392 wrote to memory of 4704	392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	98
PID 392 wrote to memory of 4704	392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	98
PID 392 wrote to memory of 4704	392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	98
PID 392 wrote to memory of 4704	392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	98
PID 392 wrote to memory of 4704	392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	98
PID 392 wrote to memory of 4704	392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	98
PID 392 wrote to memory of 4532	392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	99
PID 392 wrote to memory of 4532	392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	99
PID 392 wrote to memory of 4532	392	5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe	99
PID 4532 wrote to memory of 3012	4532	cmd.exe	101
PID 4532 wrote to memory of 3012	4532	cmd.exe	101
PID 4532 wrote to memory of 3012	4532	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Folderw\winup.exe.lnk " /f
    3⤵
    PID:2752
- C:\Users\Admin\AppData\Roaming\tmp.exe
  "C:\Users\Admin\AppData\Roaming\tmp.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4368
- C:\Users\Admin\AppData\Local\Temp\5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe"
  2⤵
  PID:4704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Folderw\winup.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - Delays execution with timeout.exe
    PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\5aa6faa9faa35e97f9527e74b225a3e8_JaffaCakes118.exe.log

Filesize
319B

MD5
824ba7b7eed8b900a98dd25129c4cd83

SHA1
54478770b2158000ef365591d42977cb854453a1

SHA256
d182dd648c92e41cd62dccc65f130c07f0a96c03b32f907c3d1218e9aa5bda03

SHA512
ae4f3a9673711ecb6cc5d06874c587341d5094803923b53b6e982278fa64549d7acf866de165e23750facd55da556b6794c0d32f129f4087529c73acd4ffb11e

Download Submit
C:\Users\Admin\AppData\Roaming\Folderw\winup.exe

Filesize
720KB

MD5
5aa6faa9faa35e97f9527e74b225a3e8

SHA1
470b643745f6bf44cb09e8162d7120adcfd71e60

SHA256
7b06aa6735ae3956748e9fee4994b459dea5bcd64abbd85c15ef8a9f874c6cea

SHA512
6b29db274b46b5675d3c508b4e605e3f6a1c5e15bb7b07ed92020af2e90551b46a6f06284d232c5756c77b66213c99f3cc0d70b0d31c6eacf1910994221c521b

Download Submit
C:\Users\Admin\AppData\Roaming\Folderw\winup.exe.bat

Filesize
190B

MD5
6fce4665f78683ad44cdf91f6feb74ff

SHA1
79f17cb3fcc259ecdd1465a6cc36f7751313079e

SHA256
b9347d7fc0616e71c7a224ae320cc2828442a8fd3600039bf13d29f7150133fd

SHA512
6d27d5b47a942d1cfcea32b74958474eb577c1b94a6609654c972d2663491c9f56294f8b99156bcf8a7e9d145f46b2be031352ad72cf455c0c2b3f7538f790e6

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
440KB

MD5
387ee6ca07273f7901c7f089d4a9d786

SHA1
36c44944510aae9ae0efe4ea9f70aeac38510f29

SHA256
09b1e63aac8edb4c79bfaab37726d56f906452c93ca2f8705c9893093d6cc599

SHA512
18e41f519ec776867636618e7b4239e58598c5b24e40e17f8f1e0a42b48b5e9fb0b69a9ec560e17a49e5cabd9c72b61b757b82b9140e1541ed4b7e8559db0a34

Download Submit
memory/392-1-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/392-2-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/392-54-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/392-0-0x0000000075002000-0x0000000075003000-memory.dmp

Filesize
4KB

Download
memory/4368-19-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4368-21-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4368-22-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4368-57-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4704-48-0x0000000000550000-0x00000000005C4000-memory.dmp

Filesize
464KB

Download
memory/4704-33-0x0000000000550000-0x00000000005C4000-memory.dmp

Filesize
464KB

Download
memory/4704-49-0x0000000000550000-0x00000000005C4000-memory.dmp

Filesize
464KB

Download
memory/4704-46-0x0000000000550000-0x00000000005C4000-memory.dmp

Filesize
464KB

Download
memory/4704-44-0x0000000000550000-0x00000000005C4000-memory.dmp

Filesize
464KB

Download
memory/4704-41-0x0000000000550000-0x00000000005C4000-memory.dmp

Filesize
464KB

Download
memory/4704-40-0x0000000000550000-0x00000000005C4000-memory.dmp

Filesize
464KB

Download
memory/4704-38-0x0000000000550000-0x00000000005C4000-memory.dmp

Filesize
464KB

Download
memory/4704-34-0x0000000000550000-0x00000000005C4000-memory.dmp

Filesize
464KB

Download
memory/4704-52-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4704-31-0x0000000000550000-0x00000000005C4000-memory.dmp

Filesize
464KB

Download
memory/4704-32-0x0000000000550000-0x00000000005C4000-memory.dmp

Filesize
464KB

Download
memory/4704-30-0x0000000000550000-0x00000000005C4000-memory.dmp

Filesize
464KB

Download
memory/4704-29-0x0000000000550000-0x00000000005C4000-memory.dmp

Filesize
464KB

Download
memory/4704-36-0x0000000000550000-0x00000000005C4000-memory.dmp

Filesize
464KB

Download
memory/4704-35-0x0000000000550000-0x00000000005C4000-memory.dmp

Filesize
464KB

Download
memory/4704-28-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing