imminent | 4ebe663b8181a37b172efded649a5ac0f61a0bfa570737c9dda3464e7d3654a0

Analysis

max time kernel
146s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
Size

587KB
MD5

62f6fad0fda5914ffe98a696b39d2664
SHA1

622fbba68efba634088a783ebb7e6e931f7ecd9f
SHA256

4ebe663b8181a37b172efded649a5ac0f61a0bfa570737c9dda3464e7d3654a0
SHA512

484bb8cbacc9907dd3ae9b8922af5169f4ad44385318f193aaf639404cc483aedad3ec9805188ca0bab9206f3538ef04848476206777e8152c21863d66265644
SSDEEP

12288:teR05v6rCmKni142PLmjcrRFTu6VsMSnbtg/nQEUHkk/:Sbqnl2PL9HiMSnJgUj/

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Executes dropped EXE 2 IoCs

Processes:

tmp.exe.exe

pid process

3064 tmp.exe
2616 .exe
Loads dropped DLL 3 IoCs

Processes:

62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe

pid process

1540 62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
1540 62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
1540 62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe

description pid process target process

PID 1540 set thread context of 2616 1540 62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe .exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3064	tmp.exe
2616	.exe

description	pid	process	target process
PID 1540 set thread context of 2616	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe

pid	process
1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

tmp.exe

pid process

3064 tmp.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exetmp.exe

description pid process

Token: SeDebugPrivilege 1540 62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
Token: SeDebugPrivilege 3064 tmp.exe
Token: 33 3064 tmp.exe
Token: SeIncBasePriorityPrivilege 3064 tmp.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

tmp.exe

pid process

3064 tmp.exe

pid	process
3064	tmp.exe

description	pid	process
Token: SeDebugPrivilege	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
Token: SeDebugPrivilege	3064	tmp.exe
Token: 33	3064	tmp.exe
Token: SeIncBasePriorityPrivilege	3064	tmp.exe

pid	process
3064	tmp.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe

description	pid	process	target process
PID 1540 wrote to memory of 3064	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	tmp.exe
PID 1540 wrote to memory of 3064	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	tmp.exe
PID 1540 wrote to memory of 3064	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	tmp.exe
PID 1540 wrote to memory of 3064	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	tmp.exe
PID 1540 wrote to memory of 2616	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	.exe
PID 1540 wrote to memory of 2616	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	.exe
PID 1540 wrote to memory of 2616	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	.exe
PID 1540 wrote to memory of 2616	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	.exe
PID 1540 wrote to memory of 2616	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	.exe
PID 1540 wrote to memory of 2616	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	.exe
PID 1540 wrote to memory of 2616	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	.exe
PID 1540 wrote to memory of 2616	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	.exe
PID 1540 wrote to memory of 2616	1540	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	.exe

C:\Users\Admin\AppData\Local\Temp\62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3064

C:\Users\Admin\AppData\Local\Temp\.exe
"C:\Users\Admin\AppData\Local\Temp\.exe"
2⤵
- Executes dropped EXE
PID:2616

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.exe
Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
323KB

MD5
4b92b21c941444bd7e2f94732bd60f61

SHA1
838c0a98dd4b6769aa4cedbf408a76dfd7bde7c0

SHA256
cfd3cf21481b62f928e8d11af1b49b4c02feaab3491da54afe9ec7f31193205d

SHA512
44b917dc4f2dd7e0118947dab1791c5a1154d25db75ab770ca8c82e453cf3ea2f7f58dc294adfb1b751fcc47da35650afc8ffbbff65855a9d676f4ecda690d63

Download Submit
memory/1540-0-0x0000000074D41000-0x0000000074D42000-memory.dmp

Filesize
4KB

Download
memory/1540-1-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/1540-2-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/1540-35-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/2616-24-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2616-34-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/2616-27-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2616-33-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/2616-29-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2616-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2616-21-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2616-20-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2616-19-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2616-18-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3064-31-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-14-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-32-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-41-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-42-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-43-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download