Analysis Overview
SHA256
5f6dfef989b9ac4da5ccb5fcb8bc07ee3d6b86188e6d20d5d349d42191e15ab0
Threat Level: Shows suspicious behavior
The file 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Executes dropped EXE
UPX packed file
Writes to the Master Boot Record (MBR)
Adds Run key to start application
AutoIT Executable
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 14:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 14:23
Reported
2024-06-20 14:26
Platform
win7-20240611-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\SVCHOST.EXE | N/A |
| N/A | N/A | C:\windows\Pinnacle.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SVCHOST = "c:\\windows\\SVCHOST.EXE" | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | \??\c:\windows\SVCHOST.EXE | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | N/A |
| File created | \??\c:\windows\Pinnacle.exe | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\windows\svchost.inf | C:\windows\SVCHOST.EXE | N/A |
| File created | \??\c:\windows\svchost.inf | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\Pinnacle.exe | N/A |
| N/A | N/A | C:\windows\SVCHOST.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\SVCHOST.EXE | N/A |
| N/A | N/A | C:\windows\SVCHOST.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe"
C:\windows\SVCHOST.EXE
"C:\windows\SVCHOST.EXE"
C:\windows\Pinnacle.exe
"C:\windows\Pinnacle.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | poczta.o2.pl | udp |
| PL | 193.17.41.243:25 | poczta.o2.pl | tcp |
| PL | 193.17.41.243:25 | poczta.o2.pl | tcp |
Files
memory/2124-0-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2124-1-0x0000000000510000-0x0000000000545000-memory.dmp
memory/2124-2-0x0000000001F30000-0x0000000001F31000-memory.dmp
memory/2124-3-0x0000000001F30000-0x0000000001F31000-memory.dmp
memory/2124-6-0x0000000001F30000-0x0000000001F31000-memory.dmp
memory/2124-7-0x0000000001F30000-0x0000000001F31000-memory.dmp
memory/2124-5-0x0000000001F30000-0x0000000001F31000-memory.dmp
memory/2124-4-0x0000000001F30000-0x0000000001F31000-memory.dmp
memory/2124-8-0x0000000001F30000-0x0000000001F32000-memory.dmp
memory/2124-9-0x0000000001EE0000-0x0000000001EE1000-memory.dmp
memory/2124-16-0x0000000002000000-0x0000000002001000-memory.dmp
memory/2124-15-0x0000000002010000-0x0000000002011000-memory.dmp
memory/2124-14-0x0000000001F80000-0x0000000001F81000-memory.dmp
memory/2124-13-0x0000000001F90000-0x0000000001F91000-memory.dmp
C:\Windows\SVCHOST.EXE
| MD5 | 2c3a3dfc019e42a6dc14ff2c2de71cd6 |
| SHA1 | c5013a9e0253928d75176a238bd21ff311364e9e |
| SHA256 | d4e7e8e9f0d90d90029c83cdfbe5810bb1b20605d50cd57ef008f63dbe44c858 |
| SHA512 | f830f3c4fe0c8bf507f541b7c82eba93370c81fcbbaf89e54492873086838e20ac3a4d55957263138f4e76e7cb059ea55ca49dd0e672a4d237b0aa37e1e7abf8 |
memory/2124-27-0x0000000000400000-0x000000000050D000-memory.dmp
\??\c:\windows\svchost.inf
| MD5 | a5ea0ad9260b1550a14cc58d2c39b03d |
| SHA1 | f0aedf295071ed34ab8c6a7692223d22b6a19841 |
| SHA256 | f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04 |
| SHA512 | 7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74 |
memory/2788-30-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2704-29-0x0000000000400000-0x00000000004A4000-memory.dmp
memory/2124-28-0x00000000032F0000-0x0000000003394000-memory.dmp
C:\Windows\Pinnacle.exe
| MD5 | b2755b1b19afb6f091b95a04fcfc7e32 |
| SHA1 | 13bb01e2c504b1d76ad20931c33bf1361b8a07e8 |
| SHA256 | 8ec3c7cc0cade861b181c9ebe19b970ee5bdad92cc50d1fc5de8bcc1b3b831ac |
| SHA512 | 0ee56aa01f3861179aed1790b2ac619c3b0e03ceda4e188fdced6b49c5f9e7d3bbc510f54e8e7b69dcaee2f92594d9e536982e4e5bd4eda5763941651661669e |
memory/2124-33-0x0000000000510000-0x0000000000545000-memory.dmp
memory/2788-35-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2704-36-0x0000000000400000-0x00000000004A4000-memory.dmp
memory/2788-39-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2788-40-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2788-46-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2788-48-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2788-50-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2788-58-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2788-60-0x0000000000400000-0x0000000000483000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 14:23
Reported
2024-06-20 14:26
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\SVCHOST.EXE | N/A |
| N/A | N/A | C:\windows\Pinnacle.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SVCHOST = "c:\\windows\\SVCHOST.EXE" | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | \??\c:\windows\SVCHOST.EXE | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | N/A |
| File created | \??\c:\windows\Pinnacle.exe | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\windows\svchost.inf | C:\windows\SVCHOST.EXE | N/A |
| File created | \??\c:\windows\svchost.inf | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\Pinnacle.exe | N/A |
| N/A | N/A | C:\windows\SVCHOST.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\SVCHOST.EXE | N/A |
| N/A | N/A | C:\windows\SVCHOST.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1112 wrote to memory of 2652 | N/A | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | C:\windows\SVCHOST.EXE |
| PID 1112 wrote to memory of 2652 | N/A | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | C:\windows\SVCHOST.EXE |
| PID 1112 wrote to memory of 2652 | N/A | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | C:\windows\SVCHOST.EXE |
| PID 1112 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | C:\windows\Pinnacle.exe |
| PID 1112 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | C:\windows\Pinnacle.exe |
| PID 1112 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe | C:\windows\Pinnacle.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe"
C:\windows\SVCHOST.EXE
"C:\windows\SVCHOST.EXE"
C:\windows\Pinnacle.exe
"C:\windows\Pinnacle.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | poczta.o2.pl | udp |
| PL | 193.17.41.243:25 | poczta.o2.pl | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| PL | 193.17.41.243:25 | poczta.o2.pl | tcp |
Files
memory/1112-0-0x0000000000400000-0x000000000050D000-memory.dmp
memory/1112-21-0x0000000002360000-0x0000000002361000-memory.dmp
memory/1112-20-0x0000000002360000-0x0000000002361000-memory.dmp
memory/1112-19-0x0000000002360000-0x0000000002361000-memory.dmp
memory/1112-18-0x0000000002360000-0x0000000002361000-memory.dmp
memory/1112-30-0x0000000002430000-0x0000000002431000-memory.dmp
memory/1112-29-0x0000000002440000-0x0000000002441000-memory.dmp
memory/1112-28-0x00000000023B0000-0x00000000023B1000-memory.dmp
memory/1112-27-0x00000000023C0000-0x00000000023C1000-memory.dmp
memory/1112-26-0x0000000002350000-0x0000000002351000-memory.dmp
memory/1112-25-0x0000000002360000-0x0000000002362000-memory.dmp
memory/1112-17-0x0000000002360000-0x0000000002361000-memory.dmp
memory/1112-16-0x0000000002360000-0x0000000002361000-memory.dmp
memory/1112-15-0x0000000002360000-0x0000000002361000-memory.dmp
memory/1112-14-0x0000000002360000-0x0000000002361000-memory.dmp
memory/1112-13-0x0000000002360000-0x0000000002361000-memory.dmp
memory/1112-12-0x0000000002360000-0x0000000002361000-memory.dmp
memory/1112-11-0x0000000002360000-0x0000000002361000-memory.dmp
memory/1112-10-0x0000000002360000-0x0000000002361000-memory.dmp
memory/1112-9-0x0000000002360000-0x0000000002361000-memory.dmp
memory/1112-8-0x0000000002360000-0x0000000002361000-memory.dmp
memory/1112-7-0x0000000002360000-0x0000000002361000-memory.dmp
memory/1112-6-0x0000000002360000-0x0000000002361000-memory.dmp
memory/1112-5-0x0000000002360000-0x0000000002361000-memory.dmp
memory/1112-4-0x0000000002360000-0x0000000002361000-memory.dmp
memory/1112-3-0x0000000002360000-0x0000000002361000-memory.dmp
memory/1112-2-0x0000000002360000-0x0000000002361000-memory.dmp
memory/1112-1-0x0000000002020000-0x0000000002055000-memory.dmp
C:\Windows\SVCHOST.EXE
| MD5 | 2c3a3dfc019e42a6dc14ff2c2de71cd6 |
| SHA1 | c5013a9e0253928d75176a238bd21ff311364e9e |
| SHA256 | d4e7e8e9f0d90d90029c83cdfbe5810bb1b20605d50cd57ef008f63dbe44c858 |
| SHA512 | f830f3c4fe0c8bf507f541b7c82eba93370c81fcbbaf89e54492873086838e20ac3a4d55957263138f4e76e7cb059ea55ca49dd0e672a4d237b0aa37e1e7abf8 |
C:\Windows\Pinnacle.exe
| MD5 | b2755b1b19afb6f091b95a04fcfc7e32 |
| SHA1 | 13bb01e2c504b1d76ad20931c33bf1361b8a07e8 |
| SHA256 | 8ec3c7cc0cade861b181c9ebe19b970ee5bdad92cc50d1fc5de8bcc1b3b831ac |
| SHA512 | 0ee56aa01f3861179aed1790b2ac619c3b0e03ceda4e188fdced6b49c5f9e7d3bbc510f54e8e7b69dcaee2f92594d9e536982e4e5bd4eda5763941651661669e |
memory/1112-48-0x0000000002020000-0x0000000002055000-memory.dmp
memory/1112-49-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2856-50-0x0000000000400000-0x00000000004A4000-memory.dmp
\??\c:\windows\svchost.inf
| MD5 | a5ea0ad9260b1550a14cc58d2c39b03d |
| SHA1 | f0aedf295071ed34ab8c6a7692223d22b6a19841 |
| SHA256 | f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04 |
| SHA512 | 7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74 |
memory/2652-51-0x0000000002720000-0x0000000002721000-memory.dmp
memory/2652-55-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2856-56-0x0000000000400000-0x00000000004A4000-memory.dmp
memory/2652-59-0x0000000002720000-0x0000000002721000-memory.dmp
memory/2652-62-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2652-66-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2652-68-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2856-69-0x0000000000400000-0x00000000004A4000-memory.dmp
memory/2652-70-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2652-72-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2652-74-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2652-76-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2652-78-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2652-80-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2652-82-0x0000000000400000-0x0000000000483000-memory.dmp