Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    30-08-2024 09:05

General

  • Target

    ca8a20ea8d4c2138ceea59b48e0866b4_JaffaCakes118.exe

  • Size

    648KB

  • MD5

    ca8a20ea8d4c2138ceea59b48e0866b4

  • SHA1

    873da3bd6e0864f7f4aef6bb9221cd6a7c6fe705

  • SHA256

    6ff3d035b2e8e8e4e916d812d56fc80ef208a73df53f518a8e3897d36b98587b

  • SHA512

    15f85396048d726f9be0f98aeb30bd20897c74c3963b63f6effc2d07e1f4d419f730b6affcceaf162aa9e856d2cbf51c0c66e36e2800c828509b09016e19c355

  • SSDEEP

    6144:zXkq206D2dF/ciYI+4wvsMgeFwjdcIS77J1gMvDrcxlFRShozxSdRrZX+Uam:zXnz5iQYwjdcIsvdDLhwS5

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca8a20ea8d4c2138ceea59b48e0866b4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ca8a20ea8d4c2138ceea59b48e0866b4_JaffaCakes118.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Users\Admin\AppData\Local\Temp\ca8a20ea8d4c2138ceea59b48e0866b4_jaffacakes118\ca8a20ea8d4c2138ceea59b48e0866b4_jaffacakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\ca8a20ea8d4c2138ceea59b48e0866b4_jaffacakes118\ca8a20ea8d4c2138ceea59b48e0866b4_jaffacakes118.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2224
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\ca8a20ea8d4c2138ceea59b48e0866b4_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\system32\PING.EXE
        ping 1.1.1.1 -n 1 -w 1000
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ca8a20ea8d4c2138ceea59b48e0866b4_jaffacakes118\ca8a20ea8d4c2138ceea59b48e0866b4_jaffacakes118.exe

    Filesize

    648KB

    MD5

    ca8a20ea8d4c2138ceea59b48e0866b4

    SHA1

    873da3bd6e0864f7f4aef6bb9221cd6a7c6fe705

    SHA256

    6ff3d035b2e8e8e4e916d812d56fc80ef208a73df53f518a8e3897d36b98587b

    SHA512

    15f85396048d726f9be0f98aeb30bd20897c74c3963b63f6effc2d07e1f4d419f730b6affcceaf162aa9e856d2cbf51c0c66e36e2800c828509b09016e19c355

  • C:\Users\Admin\AppData\Roaming\Imminent\Path.dat

    Filesize

    52B

    MD5

    16becb98e228a31d541de78dda5bfdfb

    SHA1

    6de9bfd466e958cfa482d1fc50ed4ba8f3897532

    SHA256

    43997393dc669976a78d434605609061209cf5ecc4aad10a81de5d83d9309575

    SHA512

    3bcaecef18fa815e94faed88c3f92915f2663228760aeb4db7f16805e4da35820959d9903c0fe36793d547386395e44397985f5b477c1bb42c5650c3846bf60e

  • memory/2224-11-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

    Filesize

    9.6MB

  • memory/2224-10-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

    Filesize

    9.6MB

  • memory/2224-12-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

    Filesize

    9.6MB

  • memory/2224-15-0x000000001AED0000-0x000000001AEDE000-memory.dmp

    Filesize

    56KB

  • memory/2224-27-0x000000001AF00000-0x000000001AF0C000-memory.dmp

    Filesize

    48KB

  • memory/2224-28-0x000000001AF40000-0x000000001AF56000-memory.dmp

    Filesize

    88KB

  • memory/2224-29-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

    Filesize

    9.6MB

  • memory/2420-2-0x0000000000460000-0x0000000000488000-memory.dmp

    Filesize

    160KB

  • memory/2420-4-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

    Filesize

    9.6MB

  • memory/2420-3-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

    Filesize

    9.6MB

  • memory/2420-13-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

    Filesize

    9.6MB

  • memory/2420-0-0x000007FEF58BE000-0x000007FEF58BF000-memory.dmp

    Filesize

    4KB

  • memory/2420-1-0x0000000000840000-0x00000000008A0000-memory.dmp

    Filesize

    384KB