f0b6ee02e019c250615a447a07dfc164dc7c4ebf267d7a48b82c9e731152002d

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 19:03

Target

2d7ad11414cab94f609c605bf83d7dd2_JaffaCakes118.exe
Size

359KB
MD5

2d7ad11414cab94f609c605bf83d7dd2
SHA1

8a8a9e3153e9473fc6439b1b77b5cf1d4a68b197
SHA256

f0b6ee02e019c250615a447a07dfc164dc7c4ebf267d7a48b82c9e731152002d
SHA512

6a6fdf4b5a9e371158fd6cf3cc213a2e9b8ac215cb4ee30a932104018dc8b1ffe436df3b996f8f962a0a4de43694c96b85028ee417ed34e646fea808bb175643
SSDEEP

6144:V4e5LG6rnO6b3gF55W+50AOyp76xJlSK2BaxhFYpVDMO5EvnRPDZz3:55zn9b3G5w+yAfY4KvQGvFZz3

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2644	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2368	SILANG.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2368 set thread context of 2660	2368	SILANG.exe	31

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SILANG.exe	2d7ad11414cab94f609c605bf83d7dd2_JaffaCakes118.exe
File opened for modification	C:\Windows\SILANG.exe	2d7ad11414cab94f609c605bf83d7dd2_JaffaCakes118.exe
File created	C:\Windows\UNINSTAL.BAT	2d7ad11414cab94f609c605bf83d7dd2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	2d7ad11414cab94f609c605bf83d7dd2_JaffaCakes118.exe
Token: SeDebugPrivilege	2368	SILANG.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2660	2368	SILANG.exe	31
PID 2368 wrote to memory of 2660	2368	SILANG.exe	31
PID 2368 wrote to memory of 2660	2368	SILANG.exe	31
PID 2368 wrote to memory of 2660	2368	SILANG.exe	31
PID 2368 wrote to memory of 2660	2368	SILANG.exe	31
PID 2368 wrote to memory of 2660	2368	SILANG.exe	31
PID 1504 wrote to memory of 2644	1504	2d7ad11414cab94f609c605bf83d7dd2_JaffaCakes118.exe	32
PID 1504 wrote to memory of 2644	1504	2d7ad11414cab94f609c605bf83d7dd2_JaffaCakes118.exe	32
PID 1504 wrote to memory of 2644	1504	2d7ad11414cab94f609c605bf83d7dd2_JaffaCakes118.exe	32
PID 1504 wrote to memory of 2644	1504	2d7ad11414cab94f609c605bf83d7dd2_JaffaCakes118.exe	32
PID 1504 wrote to memory of 2644	1504	2d7ad11414cab94f609c605bf83d7dd2_JaffaCakes118.exe	32
PID 1504 wrote to memory of 2644	1504	2d7ad11414cab94f609c605bf83d7dd2_JaffaCakes118.exe	32
PID 1504 wrote to memory of 2644	1504	2d7ad11414cab94f609c605bf83d7dd2_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\2d7ad11414cab94f609c605bf83d7dd2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d7ad11414cab94f609c605bf83d7dd2_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\UNINSTAL.BAT
  2⤵
  - Deletes itself
  PID:2644

C:\Windows\SILANG.exe
C:\Windows\SILANG.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\WINDOWS\SysWOW64\svchost.exe
  C:\WINDOWS\system32\svchost.exe
  2⤵
  PID:2660

C:\Windows\SILANG.exe

Filesize
359KB

MD5
2d7ad11414cab94f609c605bf83d7dd2

SHA1
8a8a9e3153e9473fc6439b1b77b5cf1d4a68b197

SHA256
f0b6ee02e019c250615a447a07dfc164dc7c4ebf267d7a48b82c9e731152002d

SHA512
6a6fdf4b5a9e371158fd6cf3cc213a2e9b8ac215cb4ee30a932104018dc8b1ffe436df3b996f8f962a0a4de43694c96b85028ee417ed34e646fea808bb175643

Download Submit
C:\Windows\UNINSTAL.BAT

Filesize
214B

MD5
d150788723a2489c5491723083bc5ffc

SHA1
e03d4c88e17c5daf9a625db524dd52c9b0a5f322

SHA256
d2d57618c8182beb4e1287020b9902eb4f60342e931b182d538ed0bf2b415a3f

SHA512
c86247f17a3e2431b330540619cc2706abbb30c61d560f5917fa7f71b3d22af08e358f3dd42a778ced3ebaa4bc201394e0c1f043b3fab465641c247a64b4406a

Download Submit
memory/1504-0-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/1504-3-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1504-19-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2368-5-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2368-22-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2660-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2660-9-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2660-11-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download