imminent | 8f6b47ef4407cf14719e43ff46ff4a090269a7570509852a2366ed756f3b0aaf

General

Target

a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
Size

757KB
MD5

a0a31dd15e1039fc801a7fdb480ef91a
SHA1

426062eb6e6bca63258d3dbce674a5547ee1d507
SHA256

8f6b47ef4407cf14719e43ff46ff4a090269a7570509852a2366ed756f3b0aaf
SHA512

006d53ea10c55b846f7dd8d5f470c0e1bd3c7d991fe7588dc4939aeb5bea663209cb1e879ede6804017f80327edca3792c4a72d46e94f4a662c2d8cb8d4554d6
SSDEEP

12288:+BZl1vvNQSnTlBZl1vvNQSnTKvIT7XPa5xLaggSH1Lx0tMcqgcwwwlasqJX:W1vvNQQTz1vvNQQTKvea5xLagVH1LCqb

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
5068	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Informations = "\\Informations\\Calme.exe"	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Informations = "C:\\Users\\Admin\\AppData\\Roaming\\Informations\\Calme.exe"	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5100 set thread context of 1916	5100	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe	85
PID 5068 set thread context of 4756	5068	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1280	PING.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	5100	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
Token: SeDebugPrivilege	1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
Token: SeDebugPrivilege	5068	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
Token: SeDebugPrivilege	4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
Token: 33	4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
Token: SeIncBasePriorityPrivilege	4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4756	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 1916	5100	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe	85
PID 5100 wrote to memory of 1916	5100	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe	85
PID 5100 wrote to memory of 1916	5100	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe	85
PID 5100 wrote to memory of 1916	5100	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe	85
PID 5100 wrote to memory of 1916	5100	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe	85
PID 5100 wrote to memory of 1916	5100	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe	85
PID 5100 wrote to memory of 1916	5100	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe	85
PID 5100 wrote to memory of 1916	5100	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe	85
PID 1916 wrote to memory of 5068	1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe	88
PID 1916 wrote to memory of 5068	1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe	88
PID 1916 wrote to memory of 5068	1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe	88
PID 1916 wrote to memory of 2416	1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe	89
PID 1916 wrote to memory of 2416	1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe	89
PID 1916 wrote to memory of 2416	1916	a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe	89
PID 2416 wrote to memory of 1280	2416	cmd.exe	91
PID 2416 wrote to memory of 1280	2416	cmd.exe	91
PID 2416 wrote to memory of 1280	2416	cmd.exe	91
PID 5068 wrote to memory of 4756	5068	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe	92
PID 5068 wrote to memory of 4756	5068	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe	92
PID 5068 wrote to memory of 4756	5068	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe	92
PID 5068 wrote to memory of 4756	5068	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe	92
PID 5068 wrote to memory of 4756	5068	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe	92
PID 5068 wrote to memory of 4756	5068	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe	92
PID 5068 wrote to memory of 4756	5068	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe	92
PID 5068 wrote to memory of 4756	5068	a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Users\Admin\AppData\Local\Temp\a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118\a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118\a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Users\Admin\AppData\Local\Temp\a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118\a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118\a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1280

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a0a31dd15e1039fc801a7fdb480ef91a_JaffaCakes118.exe.log

Filesize
1KB

MD5
6809c316af59007886ea5b3420fbef95

SHA1
4fef6d9eb76cab011863151e59bf624dcb659446

SHA256
8e1e00a80229ba89bc9cfcdcc8123f78ce780c983138f1b95cae9112df095105

SHA512
d67c763a8c8bd45f8af6c1d83b55433777803ca1fa9fe379055d38d93ce3b057ef622df87dc3f5466783fe7c394416307205775809b39ed33fd92fe0af4cdee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118\a0a31dd15e1039fc801a7fdb480ef91a_jaffacakes118.exe

Filesize
757KB

MD5
a0a31dd15e1039fc801a7fdb480ef91a

SHA1
426062eb6e6bca63258d3dbce674a5547ee1d507

SHA256
8f6b47ef4407cf14719e43ff46ff4a090269a7570509852a2366ed756f3b0aaf

SHA512
006d53ea10c55b846f7dd8d5f470c0e1bd3c7d991fe7588dc4939aeb5bea663209cb1e879ede6804017f80327edca3792c4a72d46e94f4a662c2d8cb8d4554d6

Download Submit
C:\Users\Admin\AppData\Roaming\Imminent\Path.dat

Filesize
53B

MD5
ec32a9268b5de1a8bbd76a3dd4ddafe6

SHA1
557f48e15512c4ab101b2fb3d5969a4f55619ff8

SHA256
eed9db28f7ea2573691ff175d7dfe777e090fdc37b009c79427f43cd3db0ea29

SHA512
8770b81c675801d75625d0d04976159b2a33ca253b67c7fdd5fd72c1c8d179325ce0dd07cf196b54bdaaa6f93b8c32ea454662cd32ec94b9c479e25741415cf2

Download Submit
memory/1916-17-0x0000000005950000-0x00000000059FE000-memory.dmp

Filesize
696KB

Download
memory/1916-34-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/1916-20-0x0000000006F40000-0x0000000006F58000-memory.dmp

Filesize
96KB

Download
memory/1916-19-0x0000000006D90000-0x0000000006DF6000-memory.dmp

Filesize
408KB

Download
memory/1916-18-0x0000000001860000-0x0000000001888000-memory.dmp

Filesize
160KB

Download
memory/1916-16-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/1916-10-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1916-15-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/1916-14-0x0000000001810000-0x0000000001820000-memory.dmp

Filesize
64KB

Download
memory/4756-41-0x0000000007970000-0x0000000007986000-memory.dmp

Filesize
88KB

Download
memory/4756-42-0x0000000007B20000-0x0000000007B2A000-memory.dmp

Filesize
40KB

Download
memory/5068-32-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/5068-33-0x0000000000C40000-0x0000000000C62000-memory.dmp

Filesize
136KB

Download
memory/5068-38-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/5068-35-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/5100-0-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

Filesize
4KB

Download
memory/5100-6-0x0000000005B50000-0x0000000005BE2000-memory.dmp

Filesize
584KB

Download
memory/5100-5-0x0000000006060000-0x0000000006604000-memory.dmp

Filesize
5.6MB

Download
memory/5100-13-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/5100-7-0x0000000006810000-0x00000000068AC000-memory.dmp

Filesize
624KB

Download
memory/5100-8-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

Filesize
4KB

Download
memory/5100-4-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/5100-9-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/5100-3-0x0000000004C80000-0x0000000004CA2000-memory.dmp

Filesize
136KB

Download
memory/5100-2-0x0000000004CA0000-0x0000000004CBA000-memory.dmp

Filesize
104KB

Download
memory/5100-1-0x0000000000310000-0x00000000003D4000-memory.dmp

Filesize
784KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads