imminent | f223b15bcafe2f5cfbf8659278fc1e526f0f385e68fbcda4c6f3b258a14acdc4

General

Target

f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe
Size

623KB
MD5

f2d81d242785ee17e7af2725562e5eae
SHA1

8c53a16b4f36c5ec7159e7d9183dd747b3399fea
SHA256

f223b15bcafe2f5cfbf8659278fc1e526f0f385e68fbcda4c6f3b258a14acdc4
SHA512

3713e8941b3dbec44402a668ce22b15d480f7f0a9feba75cd9c811180b3cc723eeaab9f7b12f36409715cf2964d2cff69a9ce47c8c24603b1e13ca1a2a13a9e5
SSDEEP

12288:oa2go/0sk00nlVHIHtlrCNe4fI1dzPONUKWmc/0uXk6doWDapqpVprHKzj9YlsLF:ggo/BWnfHkLrSe91dzPXK+TB+pqp/jKp

Score

10^/10

imminent discovery persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2184	f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe
3964	f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winstartcdb = "C:\\Users\\Admin\\AppData\\Roaming\\defenderstcdb\\winlogimdecdb.exe"	f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winstartcdb = "\\defenderstcdb\\winlogimdecdb.exe"	f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2536 set thread context of 232	2536	f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe	89
PID 2184 set thread context of 3964	2184	f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4444	cmd.exe
4860	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4860	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3964	f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe
Token: SeDebugPrivilege	232	f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe
Token: SeDebugPrivilege	2184	f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe
Token: SeDebugPrivilege	3964	f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe
Token: 33	3964	f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe
Token: SeIncBasePriorityPrivilege	3964	f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3964	f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 232	2536	f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe	89
PID 2536 wrote to memory of 232	2536	f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe	89
PID 2536 wrote to memory of 232	2536	f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe	89
PID 2536 wrote to memory of 232	2536	f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe	89
PID 2536 wrote to memory of 232	2536	f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe	89
PID 2536 wrote to memory of 232	2536	f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe	89
PID 2536 wrote to memory of 232	2536	f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe	89
PID 2536 wrote to memory of 232	2536	f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe	89
PID 232 wrote to memory of 2184	232	f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe	90
PID 232 wrote to memory of 2184	232	f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe	90
PID 232 wrote to memory of 2184	232	f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe	90
PID 232 wrote to memory of 4444	232	f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe	91
PID 232 wrote to memory of 4444	232	f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe	91
PID 232 wrote to memory of 4444	232	f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe	91
PID 4444 wrote to memory of 4860	4444	cmd.exe	93
PID 4444 wrote to memory of 4860	4444	cmd.exe	93
PID 4444 wrote to memory of 4860	4444	cmd.exe	93
PID 2184 wrote to memory of 3964	2184	f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe	94
PID 2184 wrote to memory of 3964	2184	f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe	94
PID 2184 wrote to memory of 3964	2184	f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe	94
PID 2184 wrote to memory of 3964	2184	f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe	94
PID 2184 wrote to memory of 3964	2184	f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe	94
PID 2184 wrote to memory of 3964	2184	f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe	94
PID 2184 wrote to memory of 3964	2184	f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe	94
PID 2184 wrote to memory of 3964	2184	f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\f2d81d242785ee17e7af2725562e5eae_jaffacakes118\f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f2d81d242785ee17e7af2725562e5eae_jaffacakes118\f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\f2d81d242785ee17e7af2725562e5eae_jaffacakes118\f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\f2d81d242785ee17e7af2725562e5eae_jaffacakes118\f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4860

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f2d81d242785ee17e7af2725562e5eae_JaffaCakes118.exe.log

Filesize
706B

MD5
2ef5ef69dadb8865b3d5b58c956077b8

SHA1
af2d869bac00685c745652bbd8b3fe82829a8998

SHA256
363502eb2a4e53ba02d2d85412b901fcf8e06de221736bdffa949799ef3d21e3

SHA512
66d4db5dd17d88e1d54ea0df3a7211a503dc4355de701259cefccc9f2e4e3ced9534b700099ffbb089a5a3acb082011c80b61801aa14aff76b379ce8f90d4fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2d81d242785ee17e7af2725562e5eae_jaffacakes118\f2d81d242785ee17e7af2725562e5eae_jaffacakes118.exe

Filesize
623KB

MD5
f2d81d242785ee17e7af2725562e5eae

SHA1
8c53a16b4f36c5ec7159e7d9183dd747b3399fea

SHA256
f223b15bcafe2f5cfbf8659278fc1e526f0f385e68fbcda4c6f3b258a14acdc4

SHA512
3713e8941b3dbec44402a668ce22b15d480f7f0a9feba75cd9c811180b3cc723eeaab9f7b12f36409715cf2964d2cff69a9ce47c8c24603b1e13ca1a2a13a9e5

Download Submit
C:\Users\Admin\AppData\Roaming\Imminent\Path.dat

Filesize
62B

MD5
ff21416d8dfef8ed5bdb0167cba7ceb9

SHA1
900b5fba86733095ff7beca58dc099236be7a17a

SHA256
6e513b4c0e77cceeefea09f3e745868277a81fcba3f954e02f4004f0ba589aad

SHA512
8946cc6d5581dfa692ee09a9c7d3e92d856db9daadc440ac03c14054d121a8be60ce9c29051baaadb4cc0d3630e2143ebb0f3ecf317d20a22624f07ce958683f

Download Submit
memory/232-34-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/232-20-0x00000000078C0000-0x00000000078D8000-memory.dmp

Filesize
96KB

Download
memory/232-19-0x0000000007150000-0x00000000071B6000-memory.dmp

Filesize
408KB

Download
memory/232-18-0x0000000008B30000-0x0000000008B58000-memory.dmp

Filesize
160KB

Download
memory/232-17-0x0000000005700000-0x00000000057AE000-memory.dmp

Filesize
696KB

Download
memory/232-16-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/232-15-0x00000000016E0000-0x00000000016F0000-memory.dmp

Filesize
64KB

Download
memory/232-10-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/232-14-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/2184-32-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/2184-33-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/2184-38-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/2184-35-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/2536-6-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/2536-13-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/2536-5-0x00000000050D0000-0x00000000050EA000-memory.dmp

Filesize
104KB

Download
memory/2536-4-0x0000000005060000-0x00000000050CA000-memory.dmp

Filesize
424KB

Download
memory/2536-3-0x0000000005120000-0x00000000051B2000-memory.dmp

Filesize
584KB

Download
memory/2536-0-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

Filesize
4KB

Download
memory/2536-2-0x00000000056D0000-0x0000000005C74000-memory.dmp

Filesize
5.6MB

Download
memory/2536-7-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

Filesize
4KB

Download
memory/2536-8-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/2536-9-0x0000000008440000-0x00000000084DC000-memory.dmp

Filesize
624KB

Download
memory/2536-1-0x0000000000660000-0x0000000000706000-memory.dmp

Filesize
664KB

Download
memory/3964-41-0x0000000007900000-0x0000000007916000-memory.dmp

Filesize
88KB

Download
memory/3964-42-0x0000000005960000-0x000000000596A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads