Overview

overview

10

Static

static

3

e21ce3b569...18.exe

windows7-x64

7

e21ce3b569...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2024 08:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e21ce3b569be0bce5f0524bf09851718_JaffaCakes118.exe

  • Size

    627KB

  • MD5

    e21ce3b569be0bce5f0524bf09851718

  • SHA1

    93fcdd20188e4d2cf5c1cdb048d680dfb46ce91e

  • SHA256

    448fe83a93d937d4435f81bc208ed2ea46d6e983e13f4f4ec9a69d1c25d3ecd5

  • SHA512

    315a46d109b3a91420ce508bedefec3d47cfecb910014852fd2c86d18c2121a35649513980257214e898d135855141dceeb1031bc0189c482e37de2f8a7d858f

  • SSDEEP

    12288:dXghTYSNmQIDFye/FoJYJCZFweKwarO2PjdHc8ES3J:2N1mQID3/FoKJCZXKdCMXES

Score
10/10
imminentagilenetdiscoverypersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e21ce3b569be0bce5f0524bf09851718_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e21ce3b569be0bce5f0524bf09851718_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Users\Admin\AppData\Local\Temp\e21ce3b569be0bce5f0524bf09851718_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\e21ce3b569be0bce5f0524bf09851718_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3648
      • C:\Users\Admin\AppData\Local\Temp\e21ce3b569be0bce5f0524bf09851718_jaffacakes118\e21ce3b569be0bce5f0524bf09851718_jaffacakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\e21ce3b569be0bce5f0524bf09851718_jaffacakes118\e21ce3b569be0bce5f0524bf09851718_jaffacakes118.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3108
        • C:\Users\Admin\AppData\Local\Temp\e21ce3b569be0bce5f0524bf09851718_jaffacakes118\e21ce3b569be0bce5f0524bf09851718_jaffacakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\e21ce3b569be0bce5f0524bf09851718_jaffacakes118\e21ce3b569be0bce5f0524bf09851718_jaffacakes118.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3444
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\e21ce3b569be0bce5f0524bf09851718_JaffaCakes118.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:3432
        • C:\Windows\SysWOW64\PING.EXE
          ping 1.1.1.1 -n 1 -w 1000
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1756
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:1088

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      232.168.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.168.11.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      69.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      69.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      107.12.20.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      107.12.20.2.in-addr.arpa
      IN PTR
      Response
      107.12.20.2.in-addr.arpa
      IN PTR
      a2-20-12-107deploystaticakamaitechnologiescom
    • flag-us
      DNS
      81.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      81.144.22.2.in-addr.arpa
      IN PTR
      Response
      81.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-81deploystaticakamaitechnologiescom
    • flag-us
      DNS
      73.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.144.22.2.in-addr.arpa
      IN PTR
      Response
      73.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-73deploystaticakamaitechnologiescom
    • flag-us
      DNS
      bellamycous.ddns.net
      e21ce3b569be0bce5f0524bf09851718_jaffacakes118.exe
      Remote address:
      8.8.8.8:53
      Request
      bellamycous.ddns.net
      IN A
      Response
      bellamycous.ddns.net
      IN A
      184.105.237.195
    • flag-us
      DNS
      195.237.105.184.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      195.237.105.184.in-addr.arpa
      IN PTR
      Response
      195.237.105.184.in-addr.arpa
      IN CNAME
      195.192-26.237.105.184.in-addr.arpa
      195.192-26.237.105.184.in-addr.arpa
      IN PTR
      184-105-237-195sinkhole shadowserverorg
    • 184.105.237.195:9007
      bellamycous.ddns.net
      e21ce3b569be0bce5f0524bf09851718_jaffacakes118.exe
      390 B
       288 B
       8
      7
    • 184.105.237.195:9007
      bellamycous.ddns.net
      e21ce3b569be0bce5f0524bf09851718_jaffacakes118.exe
      194 B
       88 B
       4
      2
    • 184.105.237.195:9007
      bellamycous.ddns.net
      e21ce3b569be0bce5f0524bf09851718_jaffacakes118.exe
      490 B
       288 B
       10
      7
    • 184.105.237.195:9007
      bellamycous.ddns.net
      e21ce3b569be0bce5f0524bf09851718_jaffacakes118.exe
      98 B
       48 B
       2
      1
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      232.168.11.51.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      232.168.11.51.in-addr.arpa

    • 8.8.8.8:53
      69.31.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      69.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      107.12.20.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      107.12.20.2.in-addr.arpa

    • 8.8.8.8:53
      81.144.22.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      81.144.22.2.in-addr.arpa

    • 8.8.8.8:53
      73.144.22.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      73.144.22.2.in-addr.arpa

    • 8.8.8.8:53
      bellamycous.ddns.net
      dns
      e21ce3b569be0bce5f0524bf09851718_jaffacakes118.exe
      66 B
       82 B
       1
      1

      DNS Request

      bellamycous.ddns.net

      DNS Response

      184.105.237.195

    • 8.8.8.8:53
      195.237.105.184.in-addr.arpa
      dns
      74 B
       154 B
       1
      1

      DNS Request

      195.237.105.184.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e21ce3b569be0bce5f0524bf09851718_JaffaCakes118.exe.log
      Filesize

      706B

      MD5

      2ef5ef69dadb8865b3d5b58c956077b8

      SHA1

      af2d869bac00685c745652bbd8b3fe82829a8998

      SHA256

      363502eb2a4e53ba02d2d85412b901fcf8e06de221736bdffa949799ef3d21e3

      SHA512

      66d4db5dd17d88e1d54ea0df3a7211a503dc4355de701259cefccc9f2e4e3ced9534b700099ffbb089a5a3acb082011c80b61801aa14aff76b379ce8f90d4fd3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\e21ce3b569be0bce5f0524bf09851718_jaffacakes118\e21ce3b569be0bce5f0524bf09851718_jaffacakes118.exe
      Filesize

      627KB

      MD5

      e21ce3b569be0bce5f0524bf09851718

      SHA1

      93fcdd20188e4d2cf5c1cdb048d680dfb46ce91e

      SHA256

      448fe83a93d937d4435f81bc208ed2ea46d6e983e13f4f4ec9a69d1c25d3ecd5

      SHA512

      315a46d109b3a91420ce508bedefec3d47cfecb910014852fd2c86d18c2121a35649513980257214e898d135855141dceeb1031bc0189c482e37de2f8a7d858f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Imminent\Path.dat
      Filesize

      64B

      MD5

      ee5307a1d8232528053e31e4f06db543

      SHA1

      fa396f832e17866985ff416b9478b27dcc5b0c4a

      SHA256

      1c130f34d2c54ea63b8c7b243b5103761f586a94cf3c4db4ab7230331613e596

      SHA512

      5ae62622eb78b04a5cdf443f71d6e396df61153a4f704ffefe806dac5fefe144f9bca4fa7233fdb35563ed4031d9e0bddd19c450b697c30a90ad8a735df87184

      Download Submit

    • memory/2264-10-0x0000000004E90000-0x0000000004E9A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2264-0-0x000000007492E000-0x000000007492F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2264-5-0x0000000074920000-0x00000000750D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2264-6-0x000000007492E000-0x000000007492F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2264-7-0x0000000074920000-0x00000000750D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2264-8-0x0000000004CE0000-0x0000000004CEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2264-9-0x0000000004D10000-0x0000000004D1E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2264-1-0x0000000000250000-0x00000000002F4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/2264-11-0x0000000005BD0000-0x0000000005C6C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2264-4-0x0000000004D70000-0x0000000004E02000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2264-3-0x0000000005280000-0x0000000005824000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2264-2-0x0000000004C20000-0x0000000004C50000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2264-15-0x0000000074920000-0x00000000750D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3108-36-0x0000000074920000-0x00000000750D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3108-34-0x0000000074920000-0x00000000750D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3108-37-0x0000000074920000-0x00000000750D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3108-41-0x0000000074920000-0x00000000750D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3108-38-0x0000000074920000-0x00000000750D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3444-80-0x0000000001210000-0x000000000121C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3444-44-0x0000000007AF0000-0x0000000007B06000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3444-45-0x0000000007CE0000-0x0000000007CEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3648-18-0x0000000074920000-0x00000000750D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3648-35-0x0000000074920000-0x00000000750D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3648-22-0x0000000006730000-0x0000000006748000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3648-21-0x0000000006770000-0x00000000067D6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3648-20-0x0000000005280000-0x00000000052A8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/3648-19-0x0000000005420000-0x00000000054CE000-memory.dmp

      Filesize

      696KB

      Download

    • memory/3648-17-0x0000000002D30000-0x0000000002D40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3648-16-0x0000000074920000-0x00000000750D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3648-12-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.