imminent | ee973121367164956cf11f1e3747136f3d5ae0a7bf5b93d16f9544a77e462f31

General

Target

e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe
Size

455KB
MD5

e207693a0d28f9b5da56a8191d76fe3f
SHA1

43709bf8b251fd478ef14f86cddfad47b563c41a
SHA256

ee973121367164956cf11f1e3747136f3d5ae0a7bf5b93d16f9544a77e462f31
SHA512

f7ef8eeba533e67845f4eda94e1d6a551eb2f6d83a37ed581092fc9d99c5506a7d4e7e94624f568361a611bb2af3802b7e73d64b35048ef01e4ea14a1f818e5a
SSDEEP

12288:XVlgmU+jpvnSs1/RvptXqQQxAQLGoSxtALqtu7rI:ngmUps5tptajxlLHVLX

Score

10^/10

imminent discovery spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HqYDbI.url	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 4980	2728	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	89

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	RegAsm.exe
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2728	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe
2728	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4980	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe
Token: SeDebugPrivilege	4980	RegAsm.exe
Token: 33	4980	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4980	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4980	RegAsm.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 4004	2728	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	86
PID 2728 wrote to memory of 4004	2728	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	86
PID 2728 wrote to memory of 4004	2728	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	86
PID 4004 wrote to memory of 3340	4004	csc.exe	88
PID 4004 wrote to memory of 3340	4004	csc.exe	88
PID 4004 wrote to memory of 3340	4004	csc.exe	88
PID 2728 wrote to memory of 4980	2728	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	89
PID 2728 wrote to memory of 4980	2728	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	89
PID 2728 wrote to memory of 4980	2728	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	89
PID 2728 wrote to memory of 4980	2728	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	89
PID 2728 wrote to memory of 4980	2728	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	89
PID 2728 wrote to memory of 4980	2728	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	89
PID 2728 wrote to memory of 4980	2728	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	89
PID 2728 wrote to memory of 4980	2728	e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e207693a0d28f9b5da56a8191d76fe3f_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yullmho1\yullmho1.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9B4.tmp" "c:\Users\Admin\AppData\Local\Temp\yullmho1\CSC2CD709D064DF406692A16DB44AD9936C.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3340
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4980

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE9B4.tmp

Filesize
1KB

MD5
e3a921dd90e29c36fc35c0089e8ea976

SHA1
fc8a97ddaff7b315393a13abbb4b1fc0a576512e

SHA256
d4227a21440a53961e45a77688ee29e223a722e3ced08d1e1438d3576c57f5f7

SHA512
285b67eac4ae70f5450b508b7cf287203377cf78984607b37d8b9c6419892fe90dc1326457f83d73a534603a61c27e41624ef9450a1b855dbca97ca2f7a29f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\yullmho1\yullmho1.dll

Filesize
7KB

MD5
08cff75dbbfd5285efa841cc03b79e3b

SHA1
2fd89b451388c5e0d7f7e14e8505d069daba48bf

SHA256
9ccc558cd98ea7f2487837c50c3f5b1bd2551300ff4272af43680bb9d06d9e9e

SHA512
eb03e68d78241d99a8d673145c05f41a4506b7cda29cfa3c4a18575e33764437320daf7baa417629e481aa3d2663545cb8397560349d269730c4dfcb3b71be8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yullmho1\yullmho1.pdb

Filesize
23KB

MD5
64622c0f603083f57a65bd460e0f6e52

SHA1
7a79e3a72cbc3fe5fa0502a8d39824bda8aae414

SHA256
583fdb625187b94197ffdd3ca97f9b7fdaff9b6737e419b86cb2cc3bb236a548

SHA512
fed245bd880bc642d9b08bdc0a968f8903e0b250d7c7fa3ba4a795ace14a8bdc6e66d32b912ef3d52d23d388955c7c7337eb5eb7c540d0dfb53e45fd126d4c06

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yullmho1\CSC2CD709D064DF406692A16DB44AD9936C.TMP

Filesize
1KB

MD5
54038a0079742d421cfc0e9c2f1bc125

SHA1
7f319cbb6bd5a1fa7c31b2f9b297345c71538009

SHA256
399a7e96b434af40c04d6cab44ad79746cf2f2d86485785e44f0755917b21a8f

SHA512
e022c08fbff142f1696125ecf8941df9e764ff7baf81c4775f892a58ab369427a159b1f5e4a66b2d9109e8c846975669aab6e0b448d380cb10412eb52d81c6ab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yullmho1\yullmho1.0.cs

Filesize
6KB

MD5
5629d4d76a65d57956da4fddb38104a8

SHA1
c95154f9f90ec701f0e745bdcf5571541a78a5e9

SHA256
fc49918fc03549f562bcc1f3abbd4c9452cbc0c50de5ce82bdc5dced66e33a0a

SHA512
5402ae05311d4aef3c2f012ba21a4b9b980b57be6227da73fabdee90e34f9bcf3c9ca0b5392606f9122d9523818adba906532c651ac9b9f2f54493cee1b974cb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yullmho1\yullmho1.cmdline

Filesize
312B

MD5
bf58236e7f950ff384522e7d81901438

SHA1
d868357fb5935a04c77c9df6aca95aaf9ba11cd9

SHA256
720195adf7a8d9f47d80aeac3227f8d4304dbc38583ec03c829fcf7f0751a57e

SHA512
3d028830a8d704c065b06d422a5e5f3d8bf5429d53d75362a8960ba060ee92ec0ab750da82481912cb294d6b66c2d0af68a634308104d219bd044ede0c71b46a

Download Submit
memory/2728-19-0x0000000004D40000-0x0000000004DD2000-memory.dmp

Filesize
584KB

Download
memory/2728-28-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/2728-1-0x00000000002E0000-0x0000000000356000-memory.dmp

Filesize
472KB

Download
memory/2728-17-0x00000000026C0000-0x00000000026C8000-memory.dmp

Filesize
32KB

Download
memory/2728-0-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/2728-20-0x0000000005230000-0x0000000005290000-memory.dmp

Filesize
384KB

Download
memory/2728-21-0x0000000004D20000-0x0000000004D2C000-memory.dmp

Filesize
48KB

Download
memory/2728-24-0x00000000052A0000-0x00000000052F6000-memory.dmp

Filesize
344KB

Download
memory/2728-25-0x00000000053A0000-0x000000000543C000-memory.dmp

Filesize
624KB

Download
memory/2728-5-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4980-26-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4980-29-0x0000000074BE2000-0x0000000074BE3000-memory.dmp

Filesize
4KB

Download
memory/4980-30-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4980-31-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4980-39-0x0000000074BE2000-0x0000000074BE3000-memory.dmp

Filesize
4KB

Download
memory/4980-40-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download
memory/4980-41-0x0000000074BE0000-0x0000000075191000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing