imminent | f1fe83abf9e6ca5258079ae8219e364a90fe120bdadc196ec905d949ce15c2b0

General

Target

9462985686930c30cc5e4384593e9239_JaffaCakes118.exe
Size

500KB
MD5

9462985686930c30cc5e4384593e9239
SHA1

8f2244a7f55961e8cb925ce6a1bf8866a132afb9
SHA256

f1fe83abf9e6ca5258079ae8219e364a90fe120bdadc196ec905d949ce15c2b0
SHA512

355294c4011cd3fdad3d18e8ede43adc627de13c29b6afc702aa198bfcacc85366479ba21b8a1cc3946793506cebd182788f6936034333abf390936b45910f2f
SSDEEP

6144:+kWM1y0f6wmZG9zRXqkqtkQ+kLX01lu9T/kxiIAEdo29KvHCadUWcYh62mTb0ViF:JWRcJFxD1lupkxHxoSCBA2ml

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VbYCHG.url	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2340 set thread context of 2652	2340	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2340	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe
2340	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2652	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe
Token: SeDebugPrivilege	2652	RegAsm.exe
Token: 33	2652	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2652	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2652	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2916	2340	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	28
PID 2340 wrote to memory of 2916	2340	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	28
PID 2340 wrote to memory of 2916	2340	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	28
PID 2340 wrote to memory of 2916	2340	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	28
PID 2916 wrote to memory of 2596	2916	csc.exe	30
PID 2916 wrote to memory of 2596	2916	csc.exe	30
PID 2916 wrote to memory of 2596	2916	csc.exe	30
PID 2916 wrote to memory of 2596	2916	csc.exe	30
PID 2340 wrote to memory of 2652	2340	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	31
PID 2340 wrote to memory of 2652	2340	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	31
PID 2340 wrote to memory of 2652	2340	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	31
PID 2340 wrote to memory of 2652	2340	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	31
PID 2340 wrote to memory of 2652	2340	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	31
PID 2340 wrote to memory of 2652	2340	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	31
PID 2340 wrote to memory of 2652	2340	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	31
PID 2340 wrote to memory of 2652	2340	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	31
PID 2340 wrote to memory of 2652	2340	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	31
PID 2340 wrote to memory of 2652	2340	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	31
PID 2340 wrote to memory of 2652	2340	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	31
PID 2340 wrote to memory of 2652	2340	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\9462985686930c30cc5e4384593e9239_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9462985686930c30cc5e4384593e9239_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hyjv0ff2\hyjv0ff2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES19C8.tmp" "c:\Users\Admin\AppData\Local\Temp\hyjv0ff2\CSC67E5ABA19B8446EAF1D40D331BF6DBB.TMP"
    3⤵
    PID:2596
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2652

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES19C8.tmp

Filesize
1KB

MD5
041e1b40754ac5b4e3c11f2fcda2ef09

SHA1
c17fec02fb7ea643bb68d85be420a91e042f8ca1

SHA256
3e0d93a5b4449405f1cbf6f8fcdbf7e7baf4d26af574827d3048755d684bb614

SHA512
c11fdda689cc60a22e58831bfeb490aa3436793aca69364d8f36dc2d3d0fc245b84ebde3418b854c7bfab695d9e0b53b543b543d23393bdfa23a4856b346e166

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyjv0ff2\hyjv0ff2.dll

Filesize
7KB

MD5
35c18d55b5194e8a9bc4907fca158de9

SHA1
5ea1ee433d2f4e0708a42215c123062bde53ab7f

SHA256
8b401cf4e35c42a4c699d3783e957be5d8e98489c152d888298323f91f8c934d

SHA512
60395f43462721c1c2e6dc7fe68d514a8676ad50b68e36781d760de7eaa2f6fa1a36a1ab3a2469db6ec165bd1d0accd6c33f4e23fb6a8ba222cebd70d1ac4b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyjv0ff2\hyjv0ff2.pdb

Filesize
23KB

MD5
19b6a5242f16c00b11b364b981f6551f

SHA1
4ddadd0b34309fef45a822f573f0c63221e67493

SHA256
1eff6567a84773fa147bb671f0cbb41e51b1665a6020aa6293b011ee63cf2b8c

SHA512
1a106828a7a76d8a5c9d07ee86b0ec166f1f8b9334f397ca78f57f8959af5922836aee564e44a2424389b4ad83d862f4c258ed7ea1bcf77a358452858b71d03f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hyjv0ff2\CSC67E5ABA19B8446EAF1D40D331BF6DBB.TMP

Filesize
1KB

MD5
2be9483a4fc4a9739280e57c4368dfbc

SHA1
c40bbce98ea6987bcff880d32b133cc922a6988b

SHA256
538614170f41c1f345b4044159a11c4bcb5b8d328368c4a83752673bdf125f12

SHA512
fc69d3bf362a0613b7b499c5ffe895d285b10b6fff03f231ecd4ba4d584c79414dedb94c7a85075ed7a6b1ded1c06a1e6a4e87b2808227fafaa10e82b4c400d1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hyjv0ff2\hyjv0ff2.0.cs

Filesize
6KB

MD5
ce09d92cdfc3111eca28b0af318d2269

SHA1
95830d0d6f6641efe59d6b34a3f5abb1e5cd3edc

SHA256
bb9d7b454acae18c32147036433d0b86e3c802783c6eee1e4d8250be3c8da95e

SHA512
65c85488977226c6bd403c66b439050f36a50c29e8f8809e55beea12f04f2adf1884faa8ff4945a6c121fa5e172b4d6370f38f0acf8cf145190c1718667351a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hyjv0ff2\hyjv0ff2.cmdline

Filesize
312B

MD5
5d071aae3ac5978c54300ff31e2708fc

SHA1
85db39d7830f1bec21db94ed408a0056be5c6371

SHA256
7f9c4fc1e545781f9b1618f045db3e58319ec34c32800784613da176054c0799

SHA512
f95be9ca92f7c9be40af4d36d261e32dca8bafcd2b79bda6d57f06d320ee6d05b3cd3844187402d13e5c9824e965f90d7e6418865516fef95e800af4d779ca7b

Download Submit
memory/2340-19-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2340-37-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2340-1-0x0000000001200000-0x0000000001284000-memory.dmp

Filesize
528KB

Download
memory/2340-17-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/2340-0-0x000000007419E000-0x000000007419F000-memory.dmp

Filesize
4KB

Download
memory/2340-20-0x0000000000CC0000-0x0000000000CCC000-memory.dmp

Filesize
48KB

Download
memory/2340-23-0x0000000004E20000-0x0000000004E76000-memory.dmp

Filesize
344KB

Download
memory/2340-6-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2652-24-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2652-32-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2652-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2652-29-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2652-26-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2652-36-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2652-34-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2652-28-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing