imminent | 1c0b71a3b014e37e8fcaf6246b511dbc7d8bc699a70df65a3a850e63f2c490bc

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe
Size

329KB
MD5

f935eb47643d5db4bc3408b59aa7ca51
SHA1

93c477c05afd2d880cba6490c7905a3ea3a91a33
SHA256

1c0b71a3b014e37e8fcaf6246b511dbc7d8bc699a70df65a3a850e63f2c490bc
SHA512

3a165f0f65bce2f5d3cf7ba3a6d5fcaec0b46e5456d42aed4038c785fd9eea5fb2c786976a8b1a6b8d72113f094123e2e44d0fdf4965cacc7b70f434ec7907be
SSDEEP

6144:rcMpXo/GH+qQccAbhIzezWvHv7DV+G7zFoAzMQv4HeypAudWVQ5bm:XpXo/GH+JccAbmKWvHzDV+RAzMbH9dZm

Score

10^/10

imminent discovery spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Deletes itself 1 IoCs

pid	Process
2628	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2452	f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe
2108	f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe

Loads dropped DLL 3 IoCs

pid	Process
2136	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe
2136	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe
2452	f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2132 set thread context of 2136	2132	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe	28
PID 2452 set thread context of 2108	2452	f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2628	cmd.exe
884	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
884	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2108	f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe
Token: SeDebugPrivilege	2108	f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe
Token: 33	2108	f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe
Token: SeIncBasePriorityPrivilege	2108	f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2108	f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2136	2132	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2136	2132	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2136	2132	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2136	2132	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2136	2132	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2136	2132	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2136	2132	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2136	2132	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2136	2132	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe	28
PID 2136 wrote to memory of 2452	2136	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2452	2136	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2452	2136	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2452	2136	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe	30
PID 2136 wrote to memory of 2628	2136	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2628	2136	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2628	2136	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2628	2136	f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe	31
PID 2452 wrote to memory of 2108	2452	f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe	33
PID 2452 wrote to memory of 2108	2452	f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe	33
PID 2452 wrote to memory of 2108	2452	f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe	33
PID 2452 wrote to memory of 2108	2452	f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe	33
PID 2452 wrote to memory of 2108	2452	f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe	33
PID 2452 wrote to memory of 2108	2452	f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe	33
PID 2452 wrote to memory of 2108	2452	f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe	33
PID 2452 wrote to memory of 2108	2452	f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe	33
PID 2452 wrote to memory of 2108	2452	f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe	33
PID 2628 wrote to memory of 884	2628	cmd.exe	34
PID 2628 wrote to memory of 884	2628	cmd.exe	34
PID 2628 wrote to memory of 884	2628	cmd.exe	34
PID 2628 wrote to memory of 884	2628	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe
  "{path}"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Users\Admin\AppData\Local\Temp\f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118\f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118\f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118\f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe
      "{path}"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\f935eb47643d5db4bc3408b59aa7ca51_JaffaCakes118.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:884

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118\f935eb47643d5db4bc3408b59aa7ca51_jaffacakes118.exe

Filesize
329KB

MD5
f935eb47643d5db4bc3408b59aa7ca51

SHA1
93c477c05afd2d880cba6490c7905a3ea3a91a33

SHA256
1c0b71a3b014e37e8fcaf6246b511dbc7d8bc699a70df65a3a850e63f2c490bc

SHA512
3a165f0f65bce2f5d3cf7ba3a6d5fcaec0b46e5456d42aed4038c785fd9eea5fb2c786976a8b1a6b8d72113f094123e2e44d0fdf4965cacc7b70f434ec7907be

Download Submit
memory/2108-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2108-47-0x0000000000070000-0x00000000000C6000-memory.dmp

Filesize
344KB

Download
memory/2108-50-0x0000000000070000-0x00000000000C6000-memory.dmp

Filesize
344KB

Download
memory/2108-43-0x0000000000070000-0x00000000000C6000-memory.dmp

Filesize
344KB

Download
memory/2132-18-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download
memory/2132-1-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download
memory/2132-2-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download
memory/2132-0-0x0000000074FD1000-0x0000000074FD2000-memory.dmp

Filesize
4KB

Download
memory/2136-17-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2136-21-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-20-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-19-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2136-5-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2136-7-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2136-15-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2136-9-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2136-13-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2136-3-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2136-51-0x0000000074FD0000-0x000000007557B000-memory.dmp

Filesize
5.7MB

Download