imminent | b8a47f274b14a345878f2df9256d933d2b927d6ad0d72a25217b5965a9df06e2

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa7d4cc97055c4744a45962b133703c1_JaffaCakes118.exe
Size

321KB
MD5

aa7d4cc97055c4744a45962b133703c1
SHA1

db48809294f69d0dbcfc085cdee51274a143110c
SHA256

b8a47f274b14a345878f2df9256d933d2b927d6ad0d72a25217b5965a9df06e2
SHA512

e15d73dfadc984e5463b235835d2718694fa9c1b6f040514abb4566fbe74de1101a81972805b554f87927e2ce48dbde9a41484b5b4adb9af87a71cdced2b6e04
SSDEEP

6144:uBq0q96QND07RNtdvqgvk5W1QYzpzTGXnP0s5+YRUnWFgvErVodwsmD:uB46QNKNt3vk5jXPZ5bqdErVR7

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Windows.exe"	aa7d4cc97055c4744a45962b133703c1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "\\Windows\\Windows.exe"	aa7d4cc97055c4744a45962b133703c1_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	aa7d4cc97055c4744a45962b133703c1_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	aa7d4cc97055c4744a45962b133703c1_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Windows.exe	aa7d4cc97055c4744a45962b133703c1_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly	aa7d4cc97055c4744a45962b133703c1_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	aa7d4cc97055c4744a45962b133703c1_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	aa7d4cc97055c4744a45962b133703c1_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4488	aa7d4cc97055c4744a45962b133703c1_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4488	aa7d4cc97055c4744a45962b133703c1_JaffaCakes118.exe
Token: 33	4488	aa7d4cc97055c4744a45962b133703c1_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4488	aa7d4cc97055c4744a45962b133703c1_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4488	aa7d4cc97055c4744a45962b133703c1_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\aa7d4cc97055c4744a45962b133703c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa7d4cc97055c4744a45962b133703c1_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4488

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Imminent\Path.dat

Filesize
50B

MD5
3573578f61fab975f20f6e535fa7ce88

SHA1
71b3b946fba1ec98aa24455eb5a1fc4173ba69aa

SHA256
45ca88ac47a3c35792e76dff2eb045d43bfe5a4149d48108fc165759edabde08

SHA512
77638dc39ff35e9b767f7c6118ed6aa94106f609ff5b8c8ce41e9cc8983c9464586b0722e06d1afafc56aed18ca8164a6bc9742e2471d07043e9d2640bd297d7

Download Submit
memory/4488-0-0x0000000074DB2000-0x0000000074DB3000-memory.dmp

Filesize
4KB

Download
memory/4488-1-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/4488-2-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/4488-3-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/4488-32-0x0000000074DB2000-0x0000000074DB3000-memory.dmp

Filesize
4KB

Download
memory/4488-33-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/4488-36-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads