Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
01-01-2025 14:29
General
-
Target
JaffaCakes118_58af7b91af918aaaf0517c50728ea7ed.exe
-
Size
908KB
-
MD5
58af7b91af918aaaf0517c50728ea7ed
-
SHA1
a36361938df502286245392342b9f5d0c214ac94
-
SHA256
24d6bdcc1fd603ed16d96146e9dd9c3c876c19f70a0b262de431e5c333b43d49
-
SHA512
abfceb84ae216b4f92a7290d4d3ad0e7bb845026ea760d3d948479a792b1fbe8a526298ed5df8f4a4b7401aa8afc773f2920ea04be43e04b239f8586259840c6
-
SSDEEP
12288:QqjqRBa80gi+TCUQpd6KA26mY6nltHnhm9FXRN:QwqN0gi+TCUQvHEFXb
Malware Config
Signatures
-
Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
-
Imminent family
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58af7b91af918aaaf0517c50728ea7ed.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58af7b91af918aaaf0517c50728ea7ed.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\model\print.exe"C:\Users\Admin\AppData\Roaming\model\print.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
908KB
MD57fb2a56985f8c1f3b4fc5a8de4049348
SHA1cdbf930926e78ce7ed589c962241e0e2eb2d329a
SHA2562ef648bcd6239300e5b28c318b121068f71dbbba6a094554cecc7942678c1357
SHA512f23db16e308949bbddc170c0ab3558569ffe6dbc5e7a4fea0f38ce9656fda9b2c11a2c41ef19c0bb8d0ef6f3922c2890cbbda76874d3966a1ed398a13692de93
-
Filesize
4KB
-
Filesize
888KB
-
Filesize
32KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
88KB
-
Filesize
160KB
-
Filesize
696KB
-
Filesize
64KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
4KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
6.9MB
-
Filesize
888KB
-
Filesize
6.9MB
-
Filesize
352KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB