imminent | 0c9c2d9f3fae53310238d294bc9f9b020c4bb513a1946abbe5762458623899f1

General

Target

80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe
Size

394KB
MD5

80d97e6956cac5c3e1932d6400da559c
SHA1

e7f9775ba192271d11d77b9da1821ffdba8367d4
SHA256

0c9c2d9f3fae53310238d294bc9f9b020c4bb513a1946abbe5762458623899f1
SHA512

571d557b21d9add9e5bb311b7b6209afd6efa7ce986771b8c27419d89cd5eb9f4c919d4346392776c54fba061f12a009265ca3f68cffc2fc12f7896af9011bb0
SSDEEP

6144:5UHSIWbCGWh4XA8FP2+zd0vUMnPbRn3jy6GhOeT5oaxxMcof9JCH3nFRT7sIzFhg:5UHSbwermT3MT5o3/inHEsFFV

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TuAKWf.url	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1508 set thread context of 2916	1508	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1508	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe
1508	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2916	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe
Token: SeDebugPrivilege	2916	RegAsm.exe
Token: 33	2916	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2916	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2916	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 1864	1508	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	28
PID 1508 wrote to memory of 1864	1508	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	28
PID 1508 wrote to memory of 1864	1508	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	28
PID 1508 wrote to memory of 1864	1508	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	28
PID 1864 wrote to memory of 2320	1864	csc.exe	30
PID 1864 wrote to memory of 2320	1864	csc.exe	30
PID 1864 wrote to memory of 2320	1864	csc.exe	30
PID 1864 wrote to memory of 2320	1864	csc.exe	30
PID 1508 wrote to memory of 2916	1508	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	31
PID 1508 wrote to memory of 2916	1508	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	31
PID 1508 wrote to memory of 2916	1508	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	31
PID 1508 wrote to memory of 2916	1508	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	31
PID 1508 wrote to memory of 2916	1508	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	31
PID 1508 wrote to memory of 2916	1508	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	31
PID 1508 wrote to memory of 2916	1508	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	31
PID 1508 wrote to memory of 2916	1508	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	31
PID 1508 wrote to memory of 2916	1508	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	31
PID 1508 wrote to memory of 2916	1508	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	31
PID 1508 wrote to memory of 2916	1508	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	31
PID 1508 wrote to memory of 2916	1508	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ltnan41c\ltnan41c.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34D6.tmp" "c:\Users\Admin\AppData\Local\Temp\ltnan41c\CSC19A59F18CDAA439DB655609D321C8D9F.TMP"
    3⤵
    PID:2320
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2916

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES34D6.tmp

Filesize
1KB

MD5
1a4afb716885dc1dae4f18b6b8ad219c

SHA1
ae7371ae925fc33efed7e8e2cab7e59bb2f8df84

SHA256
371c4efc2b3bb933db5944c555004e263f757cea75dd65b2b67b14dcfd0e8188

SHA512
ed6dabacfb9f43a3f97b1ab2a28fb1cfe5eb998030cb2980ebb7c10ba8bdd060b0e2c38fd9cd71b8aae5f7d441f9a16bc58b54795910222504b66a3eeff5c7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltnan41c\ltnan41c.dll

Filesize
8KB

MD5
0f2c6b87c3579972c6be33d676cccac7

SHA1
c2876a0402a929099877f18364039bc6064f4bb4

SHA256
24c7281ac6e48b4bad4a74e8d16d8612ffd89edc47b6a974bfca9e96ce404556

SHA512
110218bac146d024180c8747ca1bccba5b55dbcea9b45637952dcebb602e0ce5d519ed01c7a0b46c6310dd1bc7071147cf9a753f5db8388fcd09dee16ae94828

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltnan41c\ltnan41c.pdb

Filesize
25KB

MD5
f8b2ffa394f0d6740eea04dd661dd257

SHA1
7b6d4909d40546ba98f06cf800d91fd96c72ff64

SHA256
cde5c043e89cacbe5e5a6d302b6acc291191d24f7c80835df796311632bac201

SHA512
5a7142a0581157b2580f1c3c805abb3b184bda5c34bd76b68979bcfe109d8b586c579099696f393ee70a761806bd9f79f7090360d3227ead81710fc1e2fd56f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ltnan41c\CSC19A59F18CDAA439DB655609D321C8D9F.TMP

Filesize
1KB

MD5
b1a894c3862c051fa95334ad64bde02a

SHA1
cd718ea2b21e049960dcbf5c59c18ffecf7ebb8a

SHA256
aa5e6e581db8a1570a40b788774060ac49f4e5254455b3b9bedffab8876a585e

SHA512
dffae330e8de723608286a7914b9db25a217f41da2887f4150620808bceb9eb135ca7066b5ab7dec1becaaa0cbeac764c7d4ea1c53c1c67c228b37f8b87f5d78

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ltnan41c\ltnan41c.0.cs

Filesize
8KB

MD5
430cd25305c89d02d7eaa8e585b542ff

SHA1
0590505cdca3d68d0b4820cd48775537a802ea24

SHA256
9146c20a0078b1d0392b648707ab76f3aa7baf05647cf66a5200d5fc3baec8c5

SHA512
3af1b02cda5cb1972e9f5f26f092061c0378dcac0a2b749f7b2bd8c52bcde2d74a1f5ad16a9110ab457f52e5818a10b9ef5f9a677a13132e58d0f60695d16509

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ltnan41c\ltnan41c.cmdline

Filesize
312B

MD5
937afe058e6bf035e07baf3a0515d599

SHA1
ae59be73eeda55ba3e584bfdb3d49b6061a5f09c

SHA256
bb267ddbf20526f2f35b93fe007c283167ee3c6258974417b1c9c6acbcbe7ebf

SHA512
b17117b2f9184d9a9d4ad47b43cf3c02a808161f529318bba69a998965735db2979834888272333a012d330f3a6220a6363eb0a7da199228ac57f0f9b7e36f5e

Download Submit
memory/1508-19-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/1508-37-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/1508-1-0x0000000000C70000-0x0000000000CD8000-memory.dmp

Filesize
416KB

Download
memory/1508-17-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/1508-0-0x00000000744FE000-0x00000000744FF000-memory.dmp

Filesize
4KB

Download
memory/1508-20-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/1508-23-0x0000000004530000-0x0000000004586000-memory.dmp

Filesize
344KB

Download
memory/1508-6-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2916-36-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2916-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2916-29-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2916-28-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2916-26-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2916-34-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2916-24-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2916-32-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing