imminent | f493eeef3b85b0c935129ba9b485b0c66edc7db1ec08cd2181c95d72ef1f30ab

General

Target

JaffaCakes118_6fe1fdc0f1deeb8c1c830cf040ce6309.exe
Size

1.4MB
MD5

6fe1fdc0f1deeb8c1c830cf040ce6309
SHA1

6f7be3565465b211528e26de9d91ecb6088f140c
SHA256

f493eeef3b85b0c935129ba9b485b0c66edc7db1ec08cd2181c95d72ef1f30ab
SHA512

4075b33b7c24bc00fa645d600398c266c42428a79790790cb3dc241b45e0c425c0b101d366f677412d968b4868c10269859d85cce9b049ec29cbcff0fb64f93e
SSDEEP

24576:Xtb20pkaCqT5TBWgNQ7ajVKABDR9Fh7UAeVDH9RBSrG16A6:UVg5tQ7ahdNT75sDH9RBmu56

Score

10^/10

imminent discovery spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Imminent family
imminent

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kscnljwhfahpamu.fr.url	JaffaCakes118_6fe1fdc0f1deeb8c1c830cf040ce6309.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2076 set thread context of 1548	2076	JaffaCakes118_6fe1fdc0f1deeb8c1c830cf040ce6309.exe	28

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6fe1fdc0f1deeb8c1c830cf040ce6309.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2076	JaffaCakes118_6fe1fdc0f1deeb8c1c830cf040ce6309.exe
2076	JaffaCakes118_6fe1fdc0f1deeb8c1c830cf040ce6309.exe
2076	JaffaCakes118_6fe1fdc0f1deeb8c1c830cf040ce6309.exe
2076	JaffaCakes118_6fe1fdc0f1deeb8c1c830cf040ce6309.exe
2076	JaffaCakes118_6fe1fdc0f1deeb8c1c830cf040ce6309.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1548	RegAsm.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2076	JaffaCakes118_6fe1fdc0f1deeb8c1c830cf040ce6309.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1548	RegAsm.exe
Token: 33	1548	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1548	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1548	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1548	2076	JaffaCakes118_6fe1fdc0f1deeb8c1c830cf040ce6309.exe	28
PID 2076 wrote to memory of 1548	2076	JaffaCakes118_6fe1fdc0f1deeb8c1c830cf040ce6309.exe	28
PID 2076 wrote to memory of 1548	2076	JaffaCakes118_6fe1fdc0f1deeb8c1c830cf040ce6309.exe	28
PID 2076 wrote to memory of 1548	2076	JaffaCakes118_6fe1fdc0f1deeb8c1c830cf040ce6309.exe	28
PID 2076 wrote to memory of 1548	2076	JaffaCakes118_6fe1fdc0f1deeb8c1c830cf040ce6309.exe	28
PID 2076 wrote to memory of 1548	2076	JaffaCakes118_6fe1fdc0f1deeb8c1c830cf040ce6309.exe	28
PID 2076 wrote to memory of 1548	2076	JaffaCakes118_6fe1fdc0f1deeb8c1c830cf040ce6309.exe	28
PID 2076 wrote to memory of 1548	2076	JaffaCakes118_6fe1fdc0f1deeb8c1c830cf040ce6309.exe	28

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6fe1fdc0f1deeb8c1c830cf040ce6309.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6fe1fdc0f1deeb8c1c830cf040ce6309.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6fe1fdc0f1deeb8c1c830cf040ce6309.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1548

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qjfrjlvo

Filesize
321KB

MD5
c047515974c4e25fe45f47c980990519

SHA1
e00abab92fd43991cf245e8a89650da28102c543

SHA256
11b1f535c842073283811e90d989cd2109a599c0f6ed48198b92bc65a4279152

SHA512
8b6194e3c9b749ed0fd0cd3d027ab8d58a7aa81953eb34eb98853461dc43bf29b28b7ffab78560dbfdc8e9d1d3af0b9d679ec13fcb0a26d1d5b67afbff9dad2a

Download Submit
memory/1548-11-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1548-13-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1548-15-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1548-16-0x0000000073E52000-0x0000000073E54000-memory.dmp

Filesize
8KB

Download
memory/1548-22-0x0000000073E52000-0x0000000073E54000-memory.dmp

Filesize
8KB

Download
memory/2076-10-0x0000000000BE0000-0x0000000000BE3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing