imminent | ee973121367164956cf11f1e3747136f3d5ae0a7bf5b93d16f9544a77e462f31

General

Target

e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe
Size

455KB
MD5

e207693a0d28f9b5da56a8191d76fe3f
SHA1

43709bf8b251fd478ef14f86cddfad47b563c41a
SHA256

ee973121367164956cf11f1e3747136f3d5ae0a7bf5b93d16f9544a77e462f31
SHA512

f7ef8eeba533e67845f4eda94e1d6a551eb2f6d83a37ed581092fc9d99c5506a7d4e7e94624f568361a611bb2af3802b7e73d64b35048ef01e4ea14a1f818e5a
SSDEEP

12288:XVlgmU+jpvnSs1/RvptXqQQxAQLGoSxtALqtu7rI:ngmUps5tptajxlLHVLX

Score

10^/10

imminent discovery spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HqYDbI.url	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2352 set thread context of 2828	2352	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2352	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe
2352	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2828	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe
Token: SeDebugPrivilege	2828	RegAsm.exe
Token: 33	2828	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2828	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2828	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2208	2352	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	29
PID 2352 wrote to memory of 2208	2352	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	29
PID 2352 wrote to memory of 2208	2352	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	29
PID 2352 wrote to memory of 2208	2352	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	29
PID 2208 wrote to memory of 2292	2208	csc.exe	31
PID 2208 wrote to memory of 2292	2208	csc.exe	31
PID 2208 wrote to memory of 2292	2208	csc.exe	31
PID 2208 wrote to memory of 2292	2208	csc.exe	31
PID 2352 wrote to memory of 2828	2352	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2828	2352	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2828	2352	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2828	2352	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2828	2352	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2828	2352	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2828	2352	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2828	2352	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2828	2352	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2828	2352	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2828	2352	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2828	2352	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\atwu4e0t\atwu4e0t.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38DC.tmp" "c:\Users\Admin\AppData\Local\Temp\atwu4e0t\CSC4353A151EE304F6189EDAEED93D2BDAC.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2292
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2828

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES38DC.tmp

Filesize
1KB

MD5
44f5cbd0b426369eac20a8cc0c9c2f37

SHA1
4a0f851e7949210f15b1a718b7320e572e6090e8

SHA256
dc65753746ede2ff5e8f2fc67ae340db5cd2bcd85c5964bcf211ca2f48c621f8

SHA512
b2026dc31c296ed18481a3fce214aa66d6a8babde6204957242e945231ce65c07b235773aebf4bd74fb135429e558815ae5262839e3cd3d1c65cef86c1f4d2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\atwu4e0t\atwu4e0t.dll

Filesize
7KB

MD5
3370960fbc4a17e1c159991020d34920

SHA1
b2a1a261bd34db3efc4c4bc47b35d01b8ec48223

SHA256
7f6ac1b4ca05601ce6c637142d5729a2238fe7a0a138064e473c9d82c3295291

SHA512
b3332ded03c15103b09809b05bceb3de88fa8dd9d397c61248e513d4fe18f41485896bad34b0d7b7f0f937047d0f8450fdee5c143cfb31b22f421d74997231e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\atwu4e0t\atwu4e0t.pdb

Filesize
23KB

MD5
8ea5e4af5ec6e1433f5093399dca183d

SHA1
e5c6cf2adbef3a06594e9d128f10692faae63ee0

SHA256
0f2807703380882b4815f1b6a63448c5e09465e49b349089d77e6bf480969c32

SHA512
b0ec055d871c9a9b4f439aa3c64f1a175d5b0b995e810f205ccac76ed4517f7f62d1ff6803ccd13d7381b410bd3ad05acc90a85125453e52094fab2693cf6b02

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\atwu4e0t\CSC4353A151EE304F6189EDAEED93D2BDAC.TMP

Filesize
1KB

MD5
9094f95b3901fab05970243acca16ee5

SHA1
d9cea03c0c93253252fcb66100b1ddab485058d6

SHA256
2f159670c37e5737ee49696636faf51c5680654f47ec290254a457865e93b934

SHA512
7060fc767609935c1d80ecb5148ac73c8ddfe01f28dd8ba84097c76c73a20a56145fd55224d5297d1e4324d3802816566aaa80bc30987b640177028550d84042

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\atwu4e0t\atwu4e0t.0.cs

Filesize
6KB

MD5
5629d4d76a65d57956da4fddb38104a8

SHA1
c95154f9f90ec701f0e745bdcf5571541a78a5e9

SHA256
fc49918fc03549f562bcc1f3abbd4c9452cbc0c50de5ce82bdc5dced66e33a0a

SHA512
5402ae05311d4aef3c2f012ba21a4b9b980b57be6227da73fabdee90e34f9bcf3c9ca0b5392606f9122d9523818adba906532c651ac9b9f2f54493cee1b974cb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\atwu4e0t\atwu4e0t.cmdline

Filesize
312B

MD5
b6110c04258ed169b2de719f1a442ee8

SHA1
3eb613a159ab7b56a164a067b7a76a9f15bf6722

SHA256
9e5c007aa9e2ae5df52ce4f60aa96bc0f8b32ac5e13bee35258362dbea4f8a89

SHA512
c77bb4dd5892badf2a29b72c25b7437023b1c9e3e02f81523c3bc6c2826e8062d9f7b8a69a74eb4550f8665ed8b6c7fc9e35531af9c094d48d45823a325b0a29

Download Submit
memory/2352-19-0x0000000004C50000-0x0000000004CB0000-memory.dmp

Filesize
384KB

Download
memory/2352-39-0x0000000074540000-0x0000000074C2E000-memory.dmp

Filesize
6.9MB

Download
memory/2352-1-0x0000000000A80000-0x0000000000AF6000-memory.dmp

Filesize
472KB

Download
memory/2352-17-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/2352-0-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/2352-20-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/2352-23-0x0000000004CB0000-0x0000000004D06000-memory.dmp

Filesize
344KB

Download
memory/2352-5-0x0000000074540000-0x0000000074C2E000-memory.dmp

Filesize
6.9MB

Download
memory/2828-25-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2828-36-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2828-34-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2828-26-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2828-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2828-30-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2828-29-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2828-38-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing