Overview

overview

10

Static

static

5

8184243fbf...18.exe

windows7-x64

10

8184243fbf...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-05-2024 18:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8184243fbfd1d32d461404890695adb7_JaffaCakes118.exe

  • Size

    1.6MB

  • MD5

    8184243fbfd1d32d461404890695adb7

  • SHA1

    0b321e759af79716c82d3e3abf4940a0ccc15a05

  • SHA256

    a022ba42dfa1f0e62d45b0f333d00fb5edc2c2aada060a1a8c7f89522ed020f2

  • SHA512

    4252c057489288621abea0a1972ddc1307a3fa11369d94c2155dd36c28f9d07ac5827cceedda2535c7b36328a8a58bb12f380f865e5baad616d4b038e3f8ae27

  • SSDEEP

    49152:ykwkn9IMHeaB2VUyjDk00O2IkJnx/NDaPCS:xdnVIVpjD6BXz1ePC

Score
10/10
imminentpersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8184243fbfd1d32d461404890695adb7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8184243fbfd1d32d461404890695adb7_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5008
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:464

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\aut38A4.tmp
    Filesize

    513KB

    MD5

    a1cbcd3f637149e0e0f0548bede23dc3

    SHA1

    103c6317ed42b83482444d7cc5f187ff99388333

    SHA256

    5daa56df05028745b4dec454922388c6b3a97f8e4e2abc5b33f56cfec763e0f6

    SHA512

    bf7f469701038e94a45d436e71c9a92f0348dda781a13c1c29fcb8bc3738da55ae58752003eaed3cb9bbae1bb88625f299b6d9c650f684b93181f0c8e0aaf0dd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Imminent\Path.dat
    Filesize

    52B

    MD5

    4b437b3b0399740a6c93684ec04f78d3

    SHA1

    81d9cf320a5f64370fc4b8222822ad9972422843

    SHA256

    7c6ac32cfeb5f1b9167765ce716a58cd18794397c9e385a434ba673ef46929b6

    SHA512

    dc19060e7cefad623bb9f7fe6c6596b4cda8e6e33f7225324895594c5b06702c7021845aefe9b768cbe6427a6b09b774afb05dd908edab74e71270ea6a71a8e6

    Download Submit

  • memory/464-9-0x0000000000620000-0x00000000006A6000-memory.dmp

    Filesize

    536KB

    Download

  • memory/464-14-0x0000000075302000-0x0000000075303000-memory.dmp

    Filesize

    4KB

    Download

  • memory/464-15-0x0000000075300000-0x00000000758B1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/464-16-0x0000000075300000-0x00000000758B1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/464-46-0x0000000075302000-0x0000000075303000-memory.dmp

    Filesize

    4KB

    Download

  • memory/464-47-0x0000000075300000-0x00000000758B1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5008-13-0x00000000037F0000-0x00000000037F1000-memory.dmp

    Filesize

    4KB

    Download