Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07-01-2025 00:58
General
-
Target
JaffaCakes118_44665e3f3a54b8186bc1b00b08be4e20.exe
-
Size
908KB
-
MD5
44665e3f3a54b8186bc1b00b08be4e20
-
SHA1
42e0345a5309bdca0efc1e8fcca8a17aafab3d58
-
SHA256
216c7ee6bad3986c5749118f0814632781d714a21a634eb7d7ff9c73a0381d09
-
SHA512
a742c9f6f4de26d1cd67757129e9d642cb06f448c8be37c5a2484ab82c1520c2e822b7367c25f93491e0f31a482ba3c59be03f0800417457ac675152fa1c63f6
-
SSDEEP
12288:QqjqRBa80gi+TCUQpd6KA26mY6nltHnhm9FXRY:QwqN0gi+TCUQvHEFXW
Malware Config
Signatures
-
Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
-
Imminent family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44665e3f3a54b8186bc1b00b08be4e20.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44665e3f3a54b8186bc1b00b08be4e20.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\model\print.exe"C:\Users\Admin\AppData\Roaming\model\print.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
908KB
MD57a2e9b5e15987e15da206742fb481259
SHA186ed45fe8f0b0286d6b6ad6c9dc51a7e71c3a356
SHA2566572811931ed9b2724bb929e56404cef32db904ad6abb11d016159eefde93762
SHA512c472d8ae5cf4013776aced86d229a1ecba1e839c9fbfac0eba846b64056df2fc99f5c443d792b9e92880b35c37ac0bc4d653bc30f2f68c084e942c454fbfc6a7
-
Filesize
7.7MB
-
Filesize
352KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
696KB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
88KB
-
Filesize
96KB
-
Filesize
408KB
-
Filesize
160KB
-
Filesize
7.7MB
-
Filesize
344KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
888KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
4KB