imminent | 4ebe663b8181a37b172efded649a5ac0f61a0bfa570737c9dda3464e7d3654a0

General

Target

62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
Size

587KB
MD5

62f6fad0fda5914ffe98a696b39d2664
SHA1

622fbba68efba634088a783ebb7e6e931f7ecd9f
SHA256

4ebe663b8181a37b172efded649a5ac0f61a0bfa570737c9dda3464e7d3654a0
SHA512

484bb8cbacc9907dd3ae9b8922af5169f4ad44385318f193aaf639404cc483aedad3ec9805188ca0bab9206f3538ef04848476206777e8152c21863d66265644
SSDEEP

12288:teR05v6rCmKni142PLmjcrRFTu6VsMSnbtg/nQEUHkk/:Sbqnl2PL9HiMSnJgUj/

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 2 IoCs

pid	Process
3064	tmp.exe
2616	.exe

Loads dropped DLL 3 IoCs

pid	Process
1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1540 set thread context of 2616	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3064	tmp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
Token: SeDebugPrivilege	3064	tmp.exe
Token: 33	3064	tmp.exe
Token: SeIncBasePriorityPrivilege	3064	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3064	tmp.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 3064	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	28
PID 1540 wrote to memory of 3064	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	28
PID 1540 wrote to memory of 3064	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	28
PID 1540 wrote to memory of 3064	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	28
PID 1540 wrote to memory of 2616	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	29
PID 1540 wrote to memory of 2616	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	29
PID 1540 wrote to memory of 2616	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	29
PID 1540 wrote to memory of 2616	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	29
PID 1540 wrote to memory of 2616	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	29
PID 1540 wrote to memory of 2616	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	29
PID 1540 wrote to memory of 2616	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	29
PID 1540 wrote to memory of 2616	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	29
PID 1540 wrote to memory of 2616	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3064
- C:\Users\Admin\AppData\Local\Temp\.exe
  "C:\Users\Admin\AppData\Local\Temp\.exe"
  2⤵
  - Executes dropped EXE
  PID:2616

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.exe

Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
323KB

MD5
4b92b21c941444bd7e2f94732bd60f61

SHA1
838c0a98dd4b6769aa4cedbf408a76dfd7bde7c0

SHA256
cfd3cf21481b62f928e8d11af1b49b4c02feaab3491da54afe9ec7f31193205d

SHA512
44b917dc4f2dd7e0118947dab1791c5a1154d25db75ab770ca8c82e453cf3ea2f7f58dc294adfb1b751fcc47da35650afc8ffbbff65855a9d676f4ecda690d63

Download Submit
memory/1540-0-0x0000000074D41000-0x0000000074D42000-memory.dmp

Filesize
4KB

Download
memory/1540-1-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/1540-2-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/1540-35-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/2616-24-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2616-34-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/2616-27-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2616-33-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/2616-29-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2616-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2616-21-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2616-20-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2616-19-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2616-18-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3064-31-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-14-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-32-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-41-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-42-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-43-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing