imminent | ed11f0001b22186152323f70938a5a21381b163818a7b27c815cc4b0ea90a61b

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
Size

482KB
MD5

61dc0c1453543714395c5afac10c02cb
SHA1

e3688921c54a532e14019abd1d5610ed93a507ae
SHA256

ed11f0001b22186152323f70938a5a21381b163818a7b27c815cc4b0ea90a61b
SHA512

3f73041faba41966391f376e0debcca65f864c9b7d46016d759a39074c46b42dca7d025841f2d07ae8b3ab88bc96e6265859baf8f3468792a2a69423e538222a
SSDEEP

12288:gCQSnwxCzWzeHK8kx4xWg0X+z+4pVHWx2Rlk4IT6g:gCQSqCiOkqxWwhHWxuleT

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4148	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsSystemUpdate = "\\Windows\\SystemWindows.exe"	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsSystemUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\SystemWindows.exe"	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2680 set thread context of 4744	2680	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe	93
PID 4148 set thread context of 2856	4148	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe	101

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SystemWindows.exe	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5052	PING.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
Token: SeDebugPrivilege	4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
Token: SeDebugPrivilege	4148	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
Token: SeDebugPrivilege	2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
Token: 33	2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
Token: SeIncBasePriorityPrivilege	2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2856	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 4744	2680	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe	93
PID 2680 wrote to memory of 4744	2680	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe	93
PID 2680 wrote to memory of 4744	2680	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe	93
PID 2680 wrote to memory of 4744	2680	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe	93
PID 2680 wrote to memory of 4744	2680	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe	93
PID 2680 wrote to memory of 4744	2680	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe	93
PID 2680 wrote to memory of 4744	2680	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe	93
PID 2680 wrote to memory of 4744	2680	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe	93
PID 4744 wrote to memory of 4148	4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe	97
PID 4744 wrote to memory of 4148	4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe	97
PID 4744 wrote to memory of 4148	4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe	97
PID 4744 wrote to memory of 2136	4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe	98
PID 4744 wrote to memory of 2136	4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe	98
PID 4744 wrote to memory of 2136	4744	61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe	98
PID 2136 wrote to memory of 5052	2136	cmd.exe	100
PID 2136 wrote to memory of 5052	2136	cmd.exe	100
PID 2136 wrote to memory of 5052	2136	cmd.exe	100
PID 4148 wrote to memory of 2856	4148	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe	101
PID 4148 wrote to memory of 2856	4148	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe	101
PID 4148 wrote to memory of 2856	4148	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe	101
PID 4148 wrote to memory of 2856	4148	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe	101
PID 4148 wrote to memory of 2856	4148	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe	101
PID 4148 wrote to memory of 2856	4148	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe	101
PID 4148 wrote to memory of 2856	4148	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe	101
PID 4148 wrote to memory of 2856	4148	61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe	101

C:\Users\Admin\AppData\Local\Temp\61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\61dc0c1453543714395c5afac10c02cb_jaffacakes118\61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\61dc0c1453543714395c5afac10c02cb_jaffacakes118\61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Users\Admin\AppData\Local\Temp\61dc0c1453543714395c5afac10c02cb_jaffacakes118\61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\61dc0c1453543714395c5afac10c02cb_jaffacakes118\61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\61dc0c1453543714395c5afac10c02cb_JaffaCakes118.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:5052

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe.log

Filesize
1KB

MD5
6809c316af59007886ea5b3420fbef95

SHA1
4fef6d9eb76cab011863151e59bf624dcb659446

SHA256
8e1e00a80229ba89bc9cfcdcc8123f78ce780c983138f1b95cae9112df095105

SHA512
d67c763a8c8bd45f8af6c1d83b55433777803ca1fa9fe379055d38d93ce3b057ef622df87dc3f5466783fe7c394416307205775809b39ed33fd92fe0af4cdee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\61dc0c1453543714395c5afac10c02cb_jaffacakes118\61dc0c1453543714395c5afac10c02cb_jaffacakes118.exe

Filesize
482KB

MD5
61dc0c1453543714395c5afac10c02cb

SHA1
e3688921c54a532e14019abd1d5610ed93a507ae

SHA256
ed11f0001b22186152323f70938a5a21381b163818a7b27c815cc4b0ea90a61b

SHA512
3f73041faba41966391f376e0debcca65f864c9b7d46016d759a39074c46b42dca7d025841f2d07ae8b3ab88bc96e6265859baf8f3468792a2a69423e538222a

Download Submit
C:\Users\Admin\AppData\Roaming\Imminent\Path.dat

Filesize
56B

MD5
a3fb02f2aface84e270d7e4b957405cc

SHA1
65c3334253de9f120460e3e52960be36d9479849

SHA256
26d429a3a73a7ee8eca3e953d3ceb7a3aa5f6275e6fcb649affb9f4e2229656d

SHA512
d80e9b2ba3b70015870ad56665c1a04071ccff0053e595ba48a1bd674cee15c0e4b3f326035aad81ce9d5378918467274951455fc1d93100df4231f126a179cd

Download Submit
memory/2680-8-0x000000000B270000-0x000000000B30C000-memory.dmp

Filesize
624KB

Download
memory/2680-0-0x00000000751EE000-0x00000000751EF000-memory.dmp

Filesize
4KB

Download
memory/2680-5-0x0000000002F60000-0x0000000002F82000-memory.dmp

Filesize
136KB

Download
memory/2680-6-0x000000000AA20000-0x000000000AFC4000-memory.dmp

Filesize
5.6MB

Download
memory/2680-7-0x000000000A570000-0x000000000A602000-memory.dmp

Filesize
584KB

Download
memory/2680-3-0x0000000002F80000-0x0000000002F9A000-memory.dmp

Filesize
104KB

Download
memory/2680-2-0x0000000007AF0000-0x0000000007BAE000-memory.dmp

Filesize
760KB

Download
memory/2680-4-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/2680-12-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/2680-1-0x0000000000B40000-0x0000000000BC0000-memory.dmp

Filesize
512KB

Download
memory/2856-41-0x0000000006530000-0x000000000653A000-memory.dmp

Filesize
40KB

Download
memory/2856-40-0x00000000064B0000-0x00000000064C6000-memory.dmp

Filesize
88KB

Download
memory/4148-37-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/4148-33-0x00000000048F0000-0x0000000004912000-memory.dmp

Filesize
136KB

Download
memory/4148-34-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/4148-31-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/4744-15-0x00000000057A0000-0x000000000584E000-memory.dmp

Filesize
696KB

Download
memory/4744-18-0x0000000006EC0000-0x0000000006ED8000-memory.dmp

Filesize
96KB

Download
memory/4744-32-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/4744-17-0x00000000067E0000-0x0000000006846000-memory.dmp

Filesize
408KB

Download
memory/4744-16-0x0000000008BD0000-0x0000000008BF8000-memory.dmp

Filesize
160KB

Download
memory/4744-14-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/4744-13-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/4744-11-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/4744-9-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download