Overview

overview

10

Static

static

3

a0e983ac9b...18.exe

windows7-x64

10

a0e983ac9b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 13:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a0e983ac9bc736fc036deb22f66fac7b_JaffaCakes118.exe

  • Size

    839KB

  • MD5

    a0e983ac9bc736fc036deb22f66fac7b

  • SHA1

    263992909fcfbbb3f4bebbd72de6076e7bbbc35e

  • SHA256

    d02ac25c541c1db2c472c3911c85102d1696ea91e7c7f91d5223f05c9578a4d6

  • SHA512

    7c7f11eb5d55291f4a3cd21cd486b7338c5eb2cfe8f94217c0cd6d75919994b6b36ddb7c829d9c596df9f227dcdc8d3a1ff7be42c35b9dc3f525fba4ff60edb2

  • SSDEEP

    12288:+bOrWJ/dY02/a7yOWzNc4GG1bGd6H5FX+K3gszVXVxzIcz5muGpia2QUVH:HyV9sa77m5b1bGqdVFxzb5mlA

Score
10/10
imminentpersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0e983ac9bc736fc036deb22f66fac7b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a0e983ac9bc736fc036deb22f66fac7b_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msiwin.exe
      2⤵
        PID:2568
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msiwin.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msiwin.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1084
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:1504

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msiwin.exe
        Filesize

        839KB

        MD5

        a0e983ac9bc736fc036deb22f66fac7b

        SHA1

        263992909fcfbbb3f4bebbd72de6076e7bbbc35e

        SHA256

        d02ac25c541c1db2c472c3911c85102d1696ea91e7c7f91d5223f05c9578a4d6

        SHA512

        7c7f11eb5d55291f4a3cd21cd486b7338c5eb2cfe8f94217c0cd6d75919994b6b36ddb7c829d9c596df9f227dcdc8d3a1ff7be42c35b9dc3f525fba4ff60edb2

        Download Submit

      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
        Filesize

        478B

        MD5

        f7fc8c939e41d03322b8ffdc0204dc7b

        SHA1

        710260c39d00d286e10b1530f846bcefcd7ef141

        SHA256

        5d44ea3ed9fd4d1146d1250f53d303f4c94a23c519d0b2bbb7ce3188219a3fda

        SHA512

        720949320a1e4842ccd08b9c5b6223864596b3ddd0fa82426db56f7e6bb09e4278afe05323478cb22065aa6cbd0788e16c5c9a811a8e7c942fcf2a7663e4919b

        Download Submit

      • memory/1084-15-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

        Download

      • memory/1084-17-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

        Download

      • memory/1084-16-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

        Download

      • memory/2124-0-0x0000000074AC1000-0x0000000074AC2000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2124-1-0x0000000074AC0000-0x000000007506B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2124-2-0x0000000074AC0000-0x000000007506B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2124-3-0x0000000074AC0000-0x000000007506B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2124-4-0x0000000074AC0000-0x000000007506B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2124-10-0x0000000074AC0000-0x000000007506B000-memory.dmp

        Filesize

        5.7MB

        Download