imminent | cb84010badac25e5bad6137e5f46f3ee05be2fea3bbb065fbbb18075e7ee5df1

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
Size

1.5MB
MD5

75e46df89a356a452c6c29a75964d3fc
SHA1

823e2d3ef005d36b1401472dd5fd687a652b81b0
SHA256

cb84010badac25e5bad6137e5f46f3ee05be2fea3bbb065fbbb18075e7ee5df1
SHA512

f4b56b6882e5fc9b5550a09694a1a456a305e8a7d84a9e5189ec1411e28166d1e120033101bca60c80dd9d0344017653aaec47c6bdc7057b3f7e4ade526c2119
SSDEEP

24576:OAHnh+eWsN3skA4RV1Hom2KXMmHaZLS6SQBCZNRrrBJXq2ceUgQAK/5:5h+ZkldoPK8YaZLSi

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 3 IoCs

pid	Process
2420	lsass.exe
692	lsass.exe
2420	lsass.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Process = "C:\\Users\\Admin\\AppData\\Roaming\\Roaming\\lsass.exe"	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\NET Framework = "C:\\Users\\Admin\\AppData\\Roaming\\Roaming\\Application Frame Host.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\NET Framework = "\\Roaming\\Application Frame Host.exe"	RegAsm.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0039000000013362-27.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2424 set thread context of 1228	2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe	30

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1228	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1228	RegAsm.exe
Token: 33	1228	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1228	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1228	RegAsm.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2060	2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2060	2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2060	2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2060	2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe	28
PID 2424 wrote to memory of 1228	2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe	30
PID 2424 wrote to memory of 1228	2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe	30
PID 2424 wrote to memory of 1228	2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe	30
PID 2424 wrote to memory of 1228	2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe	30
PID 2424 wrote to memory of 1228	2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe	30
PID 2424 wrote to memory of 1228	2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe	30
PID 2424 wrote to memory of 1228	2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe	30
PID 2424 wrote to memory of 1228	2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe	30
PID 2424 wrote to memory of 1228	2424	75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe	30
PID 1612 wrote to memory of 2420	1612	taskeng.exe	37
PID 1612 wrote to memory of 2420	1612	taskeng.exe	37
PID 1612 wrote to memory of 2420	1612	taskeng.exe	37
PID 1612 wrote to memory of 2420	1612	taskeng.exe	37
PID 1612 wrote to memory of 692	1612	taskeng.exe	39
PID 1612 wrote to memory of 692	1612	taskeng.exe	39
PID 1612 wrote to memory of 692	1612	taskeng.exe	39
PID 1612 wrote to memory of 692	1612	taskeng.exe	39
PID 1612 wrote to memory of 2420	1612	taskeng.exe	40
PID 1612 wrote to memory of 2420	1612	taskeng.exe	40
PID 1612 wrote to memory of 2420	1612	taskeng.exe	40
PID 1612 wrote to memory of 2420	1612	taskeng.exe	40

C:\Users\Admin\AppData\Local\Temp\75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\75e46df89a356a452c6c29a75964d3fc_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /tn npudibozpm /tr C:\Users\Admin\AppData\Roaming\Roaming\lsass.exe /sc minute /mo 1
  2⤵
  - Creates scheduled task(s)
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1228

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2968

C:\Windows\system32\taskeng.exe
taskeng.exe {DF9A1A66-BCCB-4B66-A0AA-8E19E4D8A1BE} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Roaming\Roaming\lsass.exe
  C:\Users\Admin\AppData\Roaming\Roaming\lsass.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Users\Admin\AppData\Roaming\Roaming\lsass.exe
  C:\Users\Admin\AppData\Roaming\Roaming\lsass.exe
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Users\Admin\AppData\Roaming\Roaming\lsass.exe
  C:\Users\Admin\AppData\Roaming\Roaming\lsass.exe
  2⤵
  - Executes dropped EXE
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Imminent\Path.dat

Filesize
65B

MD5
273fff8bf9d33aff94e61118086b8e12

SHA1
651020cf6d05a0a4b06c80b995d95550d10c86e4

SHA256
590920795bd9a5c2a36831ca476220c030e54ead92420bf8c60871984843f760

SHA512
7e7c49e8bd21d6838ce1f17626d70b7973a1f2d0ece0bead742a956a2645227adf0c890c746448afa97c2a80c59a0ca4edbc85be265a0ff93a1710fb4962307f

Download Submit
C:\Users\Admin\AppData\Roaming\Roaming\lsass.exe

Filesize
1.5MB

MD5
75e46df89a356a452c6c29a75964d3fc

SHA1
823e2d3ef005d36b1401472dd5fd687a652b81b0

SHA256
cb84010badac25e5bad6137e5f46f3ee05be2fea3bbb065fbbb18075e7ee5df1

SHA512
f4b56b6882e5fc9b5550a09694a1a456a305e8a7d84a9e5189ec1411e28166d1e120033101bca60c80dd9d0344017653aaec47c6bdc7057b3f7e4ade526c2119

Download Submit
memory/1228-1-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1228-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1228-9-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1228-8-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1228-2-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1228-11-0x0000000073A72000-0x0000000073A74000-memory.dmp

Filesize
8KB

Download
memory/1228-42-0x0000000073A72000-0x0000000073A74000-memory.dmp

Filesize
8KB

Download
memory/2424-10-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download