imminent | 0c9c2d9f3fae53310238d294bc9f9b020c4bb513a1946abbe5762458623899f1

General

Target

80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe
Size

394KB
MD5

80d97e6956cac5c3e1932d6400da559c
SHA1

e7f9775ba192271d11d77b9da1821ffdba8367d4
SHA256

0c9c2d9f3fae53310238d294bc9f9b020c4bb513a1946abbe5762458623899f1
SHA512

571d557b21d9add9e5bb311b7b6209afd6efa7ce986771b8c27419d89cd5eb9f4c919d4346392776c54fba061f12a009265ca3f68cffc2fc12f7896af9011bb0
SSDEEP

6144:5UHSIWbCGWh4XA8FP2+zd0vUMnPbRn3jy6GhOeT5oaxxMcof9JCH3nFRT7sIzFhg:5UHSbwermT3MT5o3/inHEsFFV

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TuAKWf.url	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1628 set thread context of 2580	1628	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	88

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly	RegAsm.exe
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1628	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe
1628	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe
1628	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe
1628	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2580	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe
Token: SeDebugPrivilege	2580	RegAsm.exe
Token: 33	2580	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2580	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2580	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2420	1628	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	82
PID 1628 wrote to memory of 2420	1628	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	82
PID 1628 wrote to memory of 2420	1628	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	82
PID 2420 wrote to memory of 5108	2420	csc.exe	84
PID 2420 wrote to memory of 5108	2420	csc.exe	84
PID 2420 wrote to memory of 5108	2420	csc.exe	84
PID 1628 wrote to memory of 4256	1628	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	87
PID 1628 wrote to memory of 4256	1628	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	87
PID 1628 wrote to memory of 4256	1628	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	87
PID 1628 wrote to memory of 2580	1628	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	88
PID 1628 wrote to memory of 2580	1628	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	88
PID 1628 wrote to memory of 2580	1628	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	88
PID 1628 wrote to memory of 2580	1628	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	88
PID 1628 wrote to memory of 2580	1628	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	88
PID 1628 wrote to memory of 2580	1628	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	88
PID 1628 wrote to memory of 2580	1628	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	88
PID 1628 wrote to memory of 2580	1628	80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\80d97e6956cac5c3e1932d6400da559c_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3fuwnwrn\3fuwnwrn.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5FE3.tmp" "c:\Users\Admin\AppData\Local\Temp\3fuwnwrn\CSC841963415EB141EFBD459FA64A29DF95.TMP"
    3⤵
    PID:5108
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:4256
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2580

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3fuwnwrn\3fuwnwrn.dll

Filesize
8KB

MD5
8523f4dfb6639a745c80f1f95e5a4dfb

SHA1
f8c3a3d5503ffda99243c23d2f0e65bbf863758b

SHA256
5e3315b52ae9f68113fae7b47084f37161a2900590897d5a66aa9c20b54c5758

SHA512
42b68f02dff5ede0f9b9b775b2a2d10fa73980fd004836e965bc8596213b2268cc2612eb071984382c90e21966e31692ff80ac1cb14cff9a0a815f74484fc78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fuwnwrn\3fuwnwrn.pdb

Filesize
25KB

MD5
c4b141bc60cb4517e2878a062987d0df

SHA1
c8468660ad926ce06158d51ede905ed9dd91e263

SHA256
862f52a2cb0eca5dfec8393f93b6da58a218ed2c533e526bab3d76436395d5d0

SHA512
f161bf9744ea6d3e42bc207edcc8a0b82686bbb7f4b39fe6183d0f5f3211bf1d3e879b9d241f2564512a214ef0fdfa44c4e94da12ea2d8591fb633dbd59019fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5FE3.tmp

Filesize
1KB

MD5
115301b9bae80d343517cdbd7c6d3d77

SHA1
bd5580590cff0bbb82236cc2a0985154ab11a878

SHA256
fc65d7936180b0848c2eb66b532604abb72651929f13a08fa39dcae00f7829d7

SHA512
4521627a1cdd635194d279d30e7b67a90438b36c16b3899111f8810d5db2a5c8c602609fe80539a33d5723e53c0d036f270550c36c8f419992e588fe04ab64fc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3fuwnwrn\3fuwnwrn.0.cs

Filesize
8KB

MD5
430cd25305c89d02d7eaa8e585b542ff

SHA1
0590505cdca3d68d0b4820cd48775537a802ea24

SHA256
9146c20a0078b1d0392b648707ab76f3aa7baf05647cf66a5200d5fc3baec8c5

SHA512
3af1b02cda5cb1972e9f5f26f092061c0378dcac0a2b749f7b2bd8c52bcde2d74a1f5ad16a9110ab457f52e5818a10b9ef5f9a677a13132e58d0f60695d16509

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3fuwnwrn\3fuwnwrn.cmdline

Filesize
312B

MD5
51fef00a49351fff0c748b3c00d72c71

SHA1
b094e5e2c58ab5bdaed2d9c01379d5b9f3c4322f

SHA256
8e63fa722ad828d4f5d47030d1ac220394d0caf02702abba63b9d1db206435dc

SHA512
03e614ffdfe36974fc02f6c4afddb8d2a221879b000bf8192a9325684c3a9f52a1be54a11ca7e44168e54b4ed4074d20ebe3ada33ad8f8cb73c416cce01f0f12

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3fuwnwrn\CSC841963415EB141EFBD459FA64A29DF95.TMP

Filesize
1KB

MD5
d6b901c59383522fa3d3c143676e16e4

SHA1
274485742b6aae4d8eb2d05e911a32f543522ac6

SHA256
d9846c02eb83a020cb7f7c69e67a3d9929998fc97b0a495d2a5544794f3731fd

SHA512
153fd2e28f5e45957a60247bd7fa248a6597a038e0fbdafc997befac9d896026643271b9baf40d496b591c84ea115bba5c2c854f4703c2d2c7f1fa562e3dda2a

Download Submit
memory/1628-19-0x0000000005220000-0x00000000052B2000-memory.dmp

Filesize
584KB

Download
memory/1628-28-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/1628-1-0x00000000007D0000-0x0000000000838000-memory.dmp

Filesize
416KB

Download
memory/1628-17-0x0000000000FA0000-0x0000000000FA8000-memory.dmp

Filesize
32KB

Download
memory/1628-0-0x000000007466E000-0x000000007466F000-memory.dmp

Filesize
4KB

Download
memory/1628-20-0x0000000005740000-0x00000000057A0000-memory.dmp

Filesize
384KB

Download
memory/1628-21-0x0000000005160000-0x000000000516C000-memory.dmp

Filesize
48KB

Download
memory/1628-24-0x00000000057A0000-0x00000000057F6000-memory.dmp

Filesize
344KB

Download
memory/1628-25-0x00000000058A0000-0x000000000593C000-memory.dmp

Filesize
624KB

Download
memory/1628-5-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2580-26-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2580-29-0x0000000074852000-0x0000000074853000-memory.dmp

Filesize
4KB

Download
memory/2580-30-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/2580-31-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/2580-39-0x0000000074852000-0x0000000074853000-memory.dmp

Filesize
4KB

Download
memory/2580-40-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/2580-41-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing