imminent | c809e2e044199a760b4b82f46e0b91eccd1868a8ecdfd4b46d0aab13e97dd5c1

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-06-2024 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bad10e7a73dc3f07ccfc1031b4be97dc_JaffaCakes118.exe
Size

206KB
MD5

bad10e7a73dc3f07ccfc1031b4be97dc
SHA1

200edd71a5ab8c08fc0542b61bd18943eefc59bb
SHA256

c809e2e044199a760b4b82f46e0b91eccd1868a8ecdfd4b46d0aab13e97dd5c1
SHA512

ab1a1274b0a98b6029369fcd49ece52d8f5ad049e15e4c06fca6ab91cf8447fd5f692412b71819e29b08494c0236b925e3dfea2de33259a211a70f9ccceecff5
SSDEEP

3072:imLGeqioyN51MpjgPsoAbh2WtwAeyK4QupNwyb5O0koHy930n1Fb/nbgoA:qeTV4pjgk3F1iAy4fo61q9I/

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Net Framework = "\\Microsoft Updater\\netsvc32.exe"	bad10e7a73dc3f07ccfc1031b4be97dc_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Net Framework = "C:\\Users\\Admin\\AppData\\Local\\Microsoft Updater\\netsvc32.exe"	bad10e7a73dc3f07ccfc1031b4be97dc_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	bad10e7a73dc3f07ccfc1031b4be97dc_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	bad10e7a73dc3f07ccfc1031b4be97dc_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	bad10e7a73dc3f07ccfc1031b4be97dc_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	bad10e7a73dc3f07ccfc1031b4be97dc_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	bad10e7a73dc3f07ccfc1031b4be97dc_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1368	bad10e7a73dc3f07ccfc1031b4be97dc_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1368	bad10e7a73dc3f07ccfc1031b4be97dc_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1368	bad10e7a73dc3f07ccfc1031b4be97dc_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\bad10e7a73dc3f07ccfc1031b4be97dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bad10e7a73dc3f07ccfc1031b4be97dc_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Imminent\Path.dat

Filesize
59B

MD5
22f3c2851fecaa44e84ce97535507dbf

SHA1
766f3c7511d541159fa56b5c63eea98e2bdc52e0

SHA256
bcec886ba638ba8e18660953a497f1c5bcfeaa924cfc2d4a39a4efdcb7297087

SHA512
c54dddc1596195e79b8ef2797b35756282f6e4633a862c14db4a935969a85354274553d2040943d59342a64e327f365ca83d8fc578c33bb55c3e37cd5a5b5a3c

Download Submit
memory/1368-6-0x000000001CB70000-0x000000001D03E000-memory.dmp

Filesize
4.8MB

Download
memory/1368-2-0x00007FFFEFF70000-0x00007FFFF0911000-memory.dmp

Filesize
9.6MB

Download
memory/1368-3-0x00007FFFEFF70000-0x00007FFFF0911000-memory.dmp

Filesize
9.6MB

Download
memory/1368-4-0x00000000015F0000-0x000000000164E000-memory.dmp

Filesize
376KB

Download
memory/1368-5-0x00000000018A0000-0x00000000018C8000-memory.dmp

Filesize
160KB

Download
memory/1368-0-0x00007FFFF0225000-0x00007FFFF0226000-memory.dmp

Filesize
4KB

Download
memory/1368-9-0x00000000014C0000-0x00000000014CE000-memory.dmp

Filesize
56KB

Download
memory/1368-1-0x000000001BEF0000-0x000000001BF96000-memory.dmp

Filesize
664KB

Download
memory/1368-18-0x00007FFFEFF70000-0x00007FFFF0911000-memory.dmp

Filesize
9.6MB

Download
memory/1368-21-0x00007FFFF0225000-0x00007FFFF0226000-memory.dmp

Filesize
4KB

Download
memory/1368-24-0x00007FFFEFF70000-0x00007FFFF0911000-memory.dmp

Filesize
9.6MB

Download
memory/1368-27-0x0000000001B70000-0x0000000001B7C000-memory.dmp

Filesize
48KB

Download
memory/1368-28-0x0000000001670000-0x0000000001686000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads