imminent | d07f8aa03c96baaacb17564a7bd9d8be6b7effb347a1a98e1ea201a528e4ff8f

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15-06-2024 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe
Size

652KB
MD5

aee5704ab8e1ef4484caef048a2e286f
SHA1

e023f6678b315e5b48beeaa0f3239adc15aaf59f
SHA256

d07f8aa03c96baaacb17564a7bd9d8be6b7effb347a1a98e1ea201a528e4ff8f
SHA512

184645be06e5945d09c1c0bb0756e4943757d44db203928e025c6f5147c516123d9fc2221f1cd53e684edf170a39f7c3bfc58ba20a7824a21a77d21d03be36ef
SSDEEP

12288:2lAb5lthGT76dsIqVpYO+NyEcQQ+9OoZyXTGMFTBJPfiIR:2azrGT7muSiEc+9OoGG4pqI

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Deletes itself 1 IoCs

pid	Process
1596	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1936	aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe
860	aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
2744	aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe
1936	aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\winstart = "\\defenderst\\winlogimde.exe"	aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\winstart = "C:\\Users\\Admin\\AppData\\Roaming\\defenderst\\winlogimde.exe"	aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1736 set thread context of 2744	1736	aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe	28
PID 1936 set thread context of 860	1936	aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2140	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
860	aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe
Token: SeDebugPrivilege	2744	aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe
Token: SeDebugPrivilege	1936	aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe
Token: SeDebugPrivilege	860	aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe
Token: 33	860	aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe
Token: SeIncBasePriorityPrivilege	860	aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
860	aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2744	1736	aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe	28
PID 1736 wrote to memory of 2744	1736	aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe	28
PID 1736 wrote to memory of 2744	1736	aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe	28
PID 1736 wrote to memory of 2744	1736	aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe	28
PID 1736 wrote to memory of 2744	1736	aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe	28
PID 1736 wrote to memory of 2744	1736	aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe	28
PID 1736 wrote to memory of 2744	1736	aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe	28
PID 1736 wrote to memory of 2744	1736	aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe	28
PID 1736 wrote to memory of 2744	1736	aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe	28
PID 2744 wrote to memory of 1936	2744	aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe	32
PID 2744 wrote to memory of 1936	2744	aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe	32
PID 2744 wrote to memory of 1936	2744	aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe	32
PID 2744 wrote to memory of 1936	2744	aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe	32
PID 2744 wrote to memory of 1596	2744	aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe	33
PID 2744 wrote to memory of 1596	2744	aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe	33
PID 2744 wrote to memory of 1596	2744	aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe	33
PID 2744 wrote to memory of 1596	2744	aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe	33
PID 1596 wrote to memory of 2140	1596	cmd.exe	35
PID 1596 wrote to memory of 2140	1596	cmd.exe	35
PID 1596 wrote to memory of 2140	1596	cmd.exe	35
PID 1596 wrote to memory of 2140	1596	cmd.exe	35
PID 1936 wrote to memory of 860	1936	aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe	36
PID 1936 wrote to memory of 860	1936	aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe	36
PID 1936 wrote to memory of 860	1936	aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe	36
PID 1936 wrote to memory of 860	1936	aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe	36
PID 1936 wrote to memory of 860	1936	aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe	36
PID 1936 wrote to memory of 860	1936	aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe	36
PID 1936 wrote to memory of 860	1936	aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe	36
PID 1936 wrote to memory of 860	1936	aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe	36
PID 1936 wrote to memory of 860	1936	aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\aee5704ab8e1ef4484caef048a2e286f_jaffacakes118\aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\aee5704ab8e1ef4484caef048a2e286f_jaffacakes118\aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\aee5704ab8e1ef4484caef048a2e286f_jaffacakes118\aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\aee5704ab8e1ef4484caef048a2e286f_jaffacakes118\aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\aee5704ab8e1ef4484caef048a2e286f_JaffaCakes118.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:2140

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aee5704ab8e1ef4484caef048a2e286f_jaffacakes118\aee5704ab8e1ef4484caef048a2e286f_jaffacakes118.exe

Filesize
652KB

MD5
aee5704ab8e1ef4484caef048a2e286f

SHA1
e023f6678b315e5b48beeaa0f3239adc15aaf59f

SHA256
d07f8aa03c96baaacb17564a7bd9d8be6b7effb347a1a98e1ea201a528e4ff8f

SHA512
184645be06e5945d09c1c0bb0756e4943757d44db203928e025c6f5147c516123d9fc2221f1cd53e684edf170a39f7c3bfc58ba20a7824a21a77d21d03be36ef

Download Submit
C:\Users\Admin\AppData\Roaming\Imminent\Path.dat

Filesize
56B

MD5
c21ff3751aeec4506de0e2b2bec7cf66

SHA1
f7ecfd2d361c287233d4480f4982d815cde28832

SHA256
e7723b9bd121f5246641ae6736675c2f188e276c886e4cec6b405c92e10a5f36

SHA512
1615e7d1e0a965c9a988a064e56e848211592d5ba5eceed513f586f704b7909da4dc6cb54a045fb456983796060058af13cf2bf2b23ba6e04884a14cef877af6

Download Submit
memory/860-35-0x00000000005F0000-0x0000000000606000-memory.dmp

Filesize
88KB

Download
memory/1736-3-0x0000000000830000-0x000000000084E000-memory.dmp

Filesize
120KB

Download
memory/1736-4-0x0000000074E60000-0x000000007554E000-memory.dmp

Filesize
6.9MB

Download
memory/1736-5-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

Filesize
4KB

Download
memory/1736-6-0x0000000074E60000-0x000000007554E000-memory.dmp

Filesize
6.9MB

Download
memory/1736-7-0x0000000074E60000-0x000000007554E000-memory.dmp

Filesize
6.9MB

Download
memory/1736-18-0x0000000074E60000-0x000000007554E000-memory.dmp

Filesize
6.9MB

Download
memory/1736-2-0x00000000008B0000-0x0000000000942000-memory.dmp

Filesize
584KB

Download
memory/1736-0-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

Filesize
4KB

Download
memory/1736-1-0x0000000000B40000-0x0000000000BEC000-memory.dmp

Filesize
688KB

Download
memory/1936-27-0x0000000001080000-0x000000000112C000-memory.dmp

Filesize
688KB

Download
memory/2744-12-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2744-17-0x0000000000370000-0x0000000000398000-memory.dmp

Filesize
160KB

Download
memory/2744-16-0x0000000004C10000-0x0000000004CBE000-memory.dmp

Filesize
696KB

Download
memory/2744-14-0x0000000074E60000-0x000000007554E000-memory.dmp

Filesize
6.9MB

Download
memory/2744-15-0x0000000074E60000-0x000000007554E000-memory.dmp

Filesize
6.9MB

Download
memory/2744-26-0x0000000074E60000-0x000000007554E000-memory.dmp

Filesize
6.9MB

Download
memory/2744-13-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2744-10-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2744-8-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads