imminent | f1fe83abf9e6ca5258079ae8219e364a90fe120bdadc196ec905d949ce15c2b0

General

Target

9462985686930c30cc5e4384593e9239_JaffaCakes118.exe
Size

500KB
MD5

9462985686930c30cc5e4384593e9239
SHA1

8f2244a7f55961e8cb925ce6a1bf8866a132afb9
SHA256

f1fe83abf9e6ca5258079ae8219e364a90fe120bdadc196ec905d949ce15c2b0
SHA512

355294c4011cd3fdad3d18e8ede43adc627de13c29b6afc702aa198bfcacc85366479ba21b8a1cc3946793506cebd182788f6936034333abf390936b45910f2f
SSDEEP

6144:+kWM1y0f6wmZG9zRXqkqtkQ+kLX01lu9T/kxiIAEdo29KvHCadUWcYh62mTb0ViF:JWRcJFxD1lupkxHxoSCBA2ml

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VbYCHG.url	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1316 set thread context of 4476	1316	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	88

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	RegAsm.exe
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1316	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe
1316	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4476	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe
Token: SeDebugPrivilege	4476	RegAsm.exe
Token: 33	4476	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4476	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4476	RegAsm.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 1764	1316	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	83
PID 1316 wrote to memory of 1764	1316	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	83
PID 1316 wrote to memory of 1764	1316	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	83
PID 1764 wrote to memory of 1624	1764	csc.exe	87
PID 1764 wrote to memory of 1624	1764	csc.exe	87
PID 1764 wrote to memory of 1624	1764	csc.exe	87
PID 1316 wrote to memory of 4476	1316	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	88
PID 1316 wrote to memory of 4476	1316	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	88
PID 1316 wrote to memory of 4476	1316	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	88
PID 1316 wrote to memory of 4476	1316	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	88
PID 1316 wrote to memory of 4476	1316	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	88
PID 1316 wrote to memory of 4476	1316	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	88
PID 1316 wrote to memory of 4476	1316	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	88
PID 1316 wrote to memory of 4476	1316	9462985686930c30cc5e4384593e9239_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\9462985686930c30cc5e4384593e9239_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9462985686930c30cc5e4384593e9239_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e15d5cx0\e15d5cx0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES513D.tmp" "c:\Users\Admin\AppData\Local\Temp\e15d5cx0\CSC3700DAC16DE24F6AB8D42679D6EAAC4.TMP"
    3⤵
    PID:1624
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4476

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4140

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES513D.tmp

Filesize
1KB

MD5
6d48232d7ddeeb61d0a8d8bd83edf0d0

SHA1
43430453b220502fcb7c7cd41058293ffde06045

SHA256
df9a4e80ad975a739b8dc32159b10c9c0bfe338548cca55222d77e672676e77e

SHA512
38aca58da5a7346da52286eb1d08ed61131e7b6e0fd6a08650697a59040f74a06ec333f0c18a388433d2b52f32967205d6c0d51b3ee7e7e9f84d1189c480a871

Download Submit
C:\Users\Admin\AppData\Local\Temp\e15d5cx0\e15d5cx0.dll

Filesize
7KB

MD5
b7ca0d191860b8432117b4ca5f3f5e85

SHA1
0b0b8276b83503d83fa5f0ff676db2e4b96cf1aa

SHA256
29213b5483204c2b05003a5e4428f80cb64235fc1244d5cc7e843e52c3ee89b4

SHA512
1ff6416704c9456c736e68ceca40b8e3825a994362ec7a665cf428b63a7d5adc204f02fbcdddd7822bd287afc861fa775edafb15ac25935f2dceb3c17735e5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\e15d5cx0\e15d5cx0.pdb

Filesize
23KB

MD5
8eb2e0dc9013e1778cb90f872b08649e

SHA1
71a38d12447696e9f112dd61b4b4ad18ec63a5c0

SHA256
61406904312999659202fae247b5d1e86897c6027cbdf050e4ea9dbc66c5ef8d

SHA512
73b22bbc9272ff9fef74cdf39b839fe497c43c7a8f46472edf066d7fc8cb4894024ab0f36ae1ca0ee61c13296ba61e9b62a72033aea976c3c8aa6207b95dcb26

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e15d5cx0\CSC3700DAC16DE24F6AB8D42679D6EAAC4.TMP

Filesize
1KB

MD5
21ed936cb3d02a4d998a37f48f9779d4

SHA1
9f70bd0760d761e539b90de037a5f89d4f12fbf2

SHA256
ad0db98a2738d7fa4b50b101238f007acab91a164a5686d851938da1fcd67e22

SHA512
56b94d6e2be0be6ef00cb7e16f71955f184010c631e97aa21fd5e217ad64b75be52957173aa3c3ca1849e0943d8a8b0b9c70b46c4aa6f5fc2204b55444c384bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e15d5cx0\e15d5cx0.0.cs

Filesize
6KB

MD5
ce09d92cdfc3111eca28b0af318d2269

SHA1
95830d0d6f6641efe59d6b34a3f5abb1e5cd3edc

SHA256
bb9d7b454acae18c32147036433d0b86e3c802783c6eee1e4d8250be3c8da95e

SHA512
65c85488977226c6bd403c66b439050f36a50c29e8f8809e55beea12f04f2adf1884faa8ff4945a6c121fa5e172b4d6370f38f0acf8cf145190c1718667351a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e15d5cx0\e15d5cx0.cmdline

Filesize
312B

MD5
189268fa36cbb69d0914e1f599c7dd15

SHA1
105ca2651bdb74f5dfc764ec750f0fe3c9498c75

SHA256
d269b82e3d0ff8dc8243175a7ec550760a3f603aaadbfd06e3277419d2abfce6

SHA512
f9cc91ea7ba8c7abc1721ffc51debd5178654650ad4802b65d581c51011bd1d319063080f9e0a4f8447c70c8187053afcc15ac49924bcd49b37cc1caf50ab053

Download Submit
memory/1316-19-0x0000000004E80000-0x0000000004F12000-memory.dmp

Filesize
584KB

Download
memory/1316-28-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/1316-1-0x0000000000470000-0x00000000004F4000-memory.dmp

Filesize
528KB

Download
memory/1316-17-0x0000000002970000-0x0000000002978000-memory.dmp

Filesize
32KB

Download
memory/1316-0-0x00000000751EE000-0x00000000751EF000-memory.dmp

Filesize
4KB

Download
memory/1316-20-0x00000000053E0000-0x0000000005440000-memory.dmp

Filesize
384KB

Download
memory/1316-21-0x0000000004F80000-0x0000000004F8C000-memory.dmp

Filesize
48KB

Download
memory/1316-24-0x0000000005440000-0x0000000005496000-memory.dmp

Filesize
344KB

Download
memory/1316-25-0x0000000005540000-0x00000000055DC000-memory.dmp

Filesize
624KB

Download
memory/1316-5-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/4476-26-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4476-29-0x0000000071692000-0x0000000071693000-memory.dmp

Filesize
4KB

Download
memory/4476-30-0x0000000071690000-0x0000000071C41000-memory.dmp

Filesize
5.7MB

Download
memory/4476-31-0x0000000071690000-0x0000000071C41000-memory.dmp

Filesize
5.7MB

Download
memory/4476-39-0x0000000071692000-0x0000000071693000-memory.dmp

Filesize
4KB

Download
memory/4476-40-0x0000000071690000-0x0000000071C41000-memory.dmp

Filesize
5.7MB

Download
memory/4476-41-0x0000000071690000-0x0000000071C41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing