Overview

overview

10

Static

static

3

92151fb8c3...18.exe

windows7-x64

7

92151fb8c3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 14:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92151fb8c3fb1f3a0097776c8b2327bc_JaffaCakes118.exe

  • Size

    339KB

  • MD5

    92151fb8c3fb1f3a0097776c8b2327bc

  • SHA1

    efa2044129396ca67854bebad03a915cec49a6d1

  • SHA256

    a3808c60f2c8e23db6dd204c8b67c8f21f75d85578ae457f5226824d6400bcde

  • SHA512

    9016b9461af078b36400824eccdb1d159ea59856959d5c107cd8f0f643fee4684d6ec81d389fbfbca3da9ea33e90fe18af3ecc897fd961abecc4ea7c6a858683

  • SSDEEP

    6144:TWCT/aNHrTJUSm4vbZw/jyZz+79oNQm11U/l6geGFdzFf3LIJ4JQQwxI6d:TWCTOLTJBm4TZw/oz+xJzUorx3LXQbx7

Score
10/10
imminentpersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\92151fb8c3fb1f3a0097776c8b2327bc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\92151fb8c3fb1f3a0097776c8b2327bc_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3444
    • C:\Users\Admin\AppData\Local\Temp\92151fb8c3fb1f3a0097776c8b2327bc_jaffacakes118\92151fb8c3fb1f3a0097776c8b2327bc_jaffacakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\92151fb8c3fb1f3a0097776c8b2327bc_jaffacakes118\92151fb8c3fb1f3a0097776c8b2327bc_jaffacakes118.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2572
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\92151fb8c3fb1f3a0097776c8b2327bc_JaffaCakes118.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 1000
        3⤵
        • Runs ping.exe
        PID:3844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\92151fb8c3fb1f3a0097776c8b2327bc_jaffacakes118\92151fb8c3fb1f3a0097776c8b2327bc_jaffacakes118.exe
    Filesize

    339KB

    MD5

    92151fb8c3fb1f3a0097776c8b2327bc

    SHA1

    efa2044129396ca67854bebad03a915cec49a6d1

    SHA256

    a3808c60f2c8e23db6dd204c8b67c8f21f75d85578ae457f5226824d6400bcde

    SHA512

    9016b9461af078b36400824eccdb1d159ea59856959d5c107cd8f0f643fee4684d6ec81d389fbfbca3da9ea33e90fe18af3ecc897fd961abecc4ea7c6a858683

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Imminent\Path.dat
    Filesize

    54B

    MD5

    7a2e065810f46b8b2e622442d8bf56e7

    SHA1

    36fd4769cf3b8b5b4487a8c5fe065cdb2e2dd8e1

    SHA256

    232c6942b47749956eaa786fd60e7dd141127ff0fb84734797422b941c646554

    SHA512

    f13908c20079d66dee2722467686a28b0a35ef6fb70c6b40900bd0ad83ce4a59416df1dd82e18e1a52c8c3afd1b736eb49b9fc82146c27f8c5a5732453854e04

    Download Submit

  • memory/2572-14-0x0000000074F80000-0x0000000075531000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2572-15-0x0000000074F80000-0x0000000075531000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2572-18-0x0000000074F80000-0x0000000075531000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2572-46-0x0000000074F80000-0x0000000075531000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3444-0-0x0000000074F82000-0x0000000074F83000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3444-1-0x0000000074F80000-0x0000000075531000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3444-2-0x0000000074F80000-0x0000000075531000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3444-17-0x0000000074F80000-0x0000000075531000-memory.dmp

    Filesize

    5.7MB

    Download