Malware Analysis Report

2025-01-03 09:23

Sample ID 240620-rqgsqssbmb
Target 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118
SHA256 5f6dfef989b9ac4da5ccb5fcb8bc07ee3d6b86188e6d20d5d349d42191e15ab0
Tags
bootkit persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5f6dfef989b9ac4da5ccb5fcb8bc07ee3d6b86188e6d20d5d349d42191e15ab0

Threat Level: Shows suspicious behavior

The file 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence upx

Checks computer location settings

Executes dropped EXE

UPX packed file

Writes to the Master Boot Record (MBR)

Adds Run key to start application

AutoIT Executable

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 14:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 14:23

Reported

2024-06-20 14:26

Platform

win7-20240611-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\SVCHOST.EXE N/A
N/A N/A C:\windows\Pinnacle.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SVCHOST = "c:\\windows\\SVCHOST.EXE" C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\SVCHOST.EXE C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe N/A
File created \??\c:\windows\Pinnacle.exe C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\svchost.inf C:\windows\SVCHOST.EXE N/A
File created \??\c:\windows\svchost.inf C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\SVCHOST.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\windows\SVCHOST.EXE N/A
N/A N/A C:\windows\SVCHOST.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe"

C:\windows\SVCHOST.EXE

"C:\windows\SVCHOST.EXE"

C:\windows\Pinnacle.exe

"C:\windows\Pinnacle.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 poczta.o2.pl udp
PL 193.17.41.243:25 poczta.o2.pl tcp
PL 193.17.41.243:25 poczta.o2.pl tcp

Files

memory/2124-0-0x0000000000400000-0x000000000050D000-memory.dmp

memory/2124-1-0x0000000000510000-0x0000000000545000-memory.dmp

memory/2124-2-0x0000000001F30000-0x0000000001F31000-memory.dmp

memory/2124-3-0x0000000001F30000-0x0000000001F31000-memory.dmp

memory/2124-6-0x0000000001F30000-0x0000000001F31000-memory.dmp

memory/2124-7-0x0000000001F30000-0x0000000001F31000-memory.dmp

memory/2124-5-0x0000000001F30000-0x0000000001F31000-memory.dmp

memory/2124-4-0x0000000001F30000-0x0000000001F31000-memory.dmp

memory/2124-8-0x0000000001F30000-0x0000000001F32000-memory.dmp

memory/2124-9-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

memory/2124-16-0x0000000002000000-0x0000000002001000-memory.dmp

memory/2124-15-0x0000000002010000-0x0000000002011000-memory.dmp

memory/2124-14-0x0000000001F80000-0x0000000001F81000-memory.dmp

memory/2124-13-0x0000000001F90000-0x0000000001F91000-memory.dmp

C:\Windows\SVCHOST.EXE

MD5 2c3a3dfc019e42a6dc14ff2c2de71cd6
SHA1 c5013a9e0253928d75176a238bd21ff311364e9e
SHA256 d4e7e8e9f0d90d90029c83cdfbe5810bb1b20605d50cd57ef008f63dbe44c858
SHA512 f830f3c4fe0c8bf507f541b7c82eba93370c81fcbbaf89e54492873086838e20ac3a4d55957263138f4e76e7cb059ea55ca49dd0e672a4d237b0aa37e1e7abf8

memory/2124-27-0x0000000000400000-0x000000000050D000-memory.dmp

\??\c:\windows\svchost.inf

MD5 a5ea0ad9260b1550a14cc58d2c39b03d
SHA1 f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256 f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA512 7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

memory/2788-30-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2704-29-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2124-28-0x00000000032F0000-0x0000000003394000-memory.dmp

C:\Windows\Pinnacle.exe

MD5 b2755b1b19afb6f091b95a04fcfc7e32
SHA1 13bb01e2c504b1d76ad20931c33bf1361b8a07e8
SHA256 8ec3c7cc0cade861b181c9ebe19b970ee5bdad92cc50d1fc5de8bcc1b3b831ac
SHA512 0ee56aa01f3861179aed1790b2ac619c3b0e03ceda4e188fdced6b49c5f9e7d3bbc510f54e8e7b69dcaee2f92594d9e536982e4e5bd4eda5763941651661669e

memory/2124-33-0x0000000000510000-0x0000000000545000-memory.dmp

memory/2788-35-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2704-36-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2788-39-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2788-40-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2788-46-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2788-48-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2788-50-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2788-58-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2788-60-0x0000000000400000-0x0000000000483000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 14:23

Reported

2024-06-20 14:26

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\SVCHOST.EXE N/A
N/A N/A C:\windows\Pinnacle.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SVCHOST = "c:\\windows\\SVCHOST.EXE" C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\SVCHOST.EXE C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe N/A
File created \??\c:\windows\Pinnacle.exe C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\svchost.inf C:\windows\SVCHOST.EXE N/A
File created \??\c:\windows\svchost.inf C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\SVCHOST.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A
N/A N/A C:\windows\Pinnacle.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\windows\SVCHOST.EXE N/A
N/A N/A C:\windows\SVCHOST.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe"

C:\windows\SVCHOST.EXE

"C:\windows\SVCHOST.EXE"

C:\windows\Pinnacle.exe

"C:\windows\Pinnacle.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 poczta.o2.pl udp
PL 193.17.41.243:25 poczta.o2.pl tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
PL 193.17.41.243:25 poczta.o2.pl tcp

Files

memory/1112-0-0x0000000000400000-0x000000000050D000-memory.dmp

memory/1112-21-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1112-20-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1112-19-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1112-18-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1112-30-0x0000000002430000-0x0000000002431000-memory.dmp

memory/1112-29-0x0000000002440000-0x0000000002441000-memory.dmp

memory/1112-28-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/1112-27-0x00000000023C0000-0x00000000023C1000-memory.dmp

memory/1112-26-0x0000000002350000-0x0000000002351000-memory.dmp

memory/1112-25-0x0000000002360000-0x0000000002362000-memory.dmp

memory/1112-17-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1112-16-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1112-15-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1112-14-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1112-13-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1112-12-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1112-11-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1112-10-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1112-9-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1112-8-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1112-7-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1112-6-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1112-5-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1112-4-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1112-3-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1112-2-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1112-1-0x0000000002020000-0x0000000002055000-memory.dmp

C:\Windows\SVCHOST.EXE

MD5 2c3a3dfc019e42a6dc14ff2c2de71cd6
SHA1 c5013a9e0253928d75176a238bd21ff311364e9e
SHA256 d4e7e8e9f0d90d90029c83cdfbe5810bb1b20605d50cd57ef008f63dbe44c858
SHA512 f830f3c4fe0c8bf507f541b7c82eba93370c81fcbbaf89e54492873086838e20ac3a4d55957263138f4e76e7cb059ea55ca49dd0e672a4d237b0aa37e1e7abf8

C:\Windows\Pinnacle.exe

MD5 b2755b1b19afb6f091b95a04fcfc7e32
SHA1 13bb01e2c504b1d76ad20931c33bf1361b8a07e8
SHA256 8ec3c7cc0cade861b181c9ebe19b970ee5bdad92cc50d1fc5de8bcc1b3b831ac
SHA512 0ee56aa01f3861179aed1790b2ac619c3b0e03ceda4e188fdced6b49c5f9e7d3bbc510f54e8e7b69dcaee2f92594d9e536982e4e5bd4eda5763941651661669e

memory/1112-48-0x0000000002020000-0x0000000002055000-memory.dmp

memory/1112-49-0x0000000000400000-0x000000000050D000-memory.dmp

memory/2856-50-0x0000000000400000-0x00000000004A4000-memory.dmp

\??\c:\windows\svchost.inf

MD5 a5ea0ad9260b1550a14cc58d2c39b03d
SHA1 f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256 f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA512 7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

memory/2652-51-0x0000000002720000-0x0000000002721000-memory.dmp

memory/2652-55-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2856-56-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2652-59-0x0000000002720000-0x0000000002721000-memory.dmp

memory/2652-62-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2652-66-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2652-68-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2856-69-0x0000000000400000-0x00000000004A4000-memory.dmp

memory/2652-70-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2652-72-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2652-74-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2652-76-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2652-78-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2652-80-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2652-82-0x0000000000400000-0x0000000000483000-memory.dmp