Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

3

11e0b466d5...18.pdf

windows7-x64

1

11e0b466d5...18.pdf

windows10-2004-x64

1

Analysis

  • max time kernel
    143s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2024, 22:45 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11e0b466d52e2d751c6c80d43525b1fb_JaffaCakes118.pdf

  • Size

    86KB

  • MD5

    11e0b466d52e2d751c6c80d43525b1fb

  • SHA1

    c09acbb829ef98adf9221daba5486804af8c55b6

  • SHA256

    dcfdf3f8ea00db8269689a7fba24ec884a5fa53083a63fcdf2ccad7072da88df

  • SHA512

    e25e9c08f1877e953e8a2838b99283d63509e9dd8097110c04756f9e94a9395c89bd3b2651fa40d36cf7412e794d9ba1ab16e78c82b36d6b4ec8d67ed3067ba3

  • SSDEEP

    1536:SSWnfIz5KewijvEY9Hjj+aac1tmpF1rWWypOlWWxrRyb5cKBvlprY:T+fI9KeJjj+aKv1r3lDrRyNc6vlW

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\11e0b466d52e2d751c6c80d43525b1fb_JaffaCakes118.pdf"
    1⤵
    • Checks processor information in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:380
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F7BCD624A06CF0BCC2F59F56BDE5DF4A --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        3⤵
          PID:1184
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5566F66CF3A5F90A3D3F1AF3AFB5F2FB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5566F66CF3A5F90A3D3F1AF3AFB5F2FB --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
          3⤵
            PID:4828
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C8F7CD1A19FBF77846C0950DAEAF7D2B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C8F7CD1A19FBF77846C0950DAEAF7D2B --renderer-client-id=4 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job /prefetch:1
            3⤵
              PID:4724
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5C71DB037E34985737B906639F19D8FB --mojo-platform-channel-handle=1860 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              3⤵
                PID:1392
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F40131CF1EC22A13A9676876EA252A2B --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                3⤵
                  PID:2316
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6708CEA545FDA1796821AA6087692296 --mojo-platform-channel-handle=2584 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                  3⤵
                    PID:2424
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                  2⤵
                    PID:4832
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4020 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
                  1⤵
                    PID:1696
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:1972

                    Network

                    • flag-us
                      DNS
                      104.219.191.52.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      104.219.191.52.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      240.221.184.93.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      240.221.184.93.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      183.59.114.20.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      183.59.114.20.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      18.31.95.13.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      18.31.95.13.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      232.135.221.88.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      232.135.221.88.in-addr.arpa
                      IN PTR
                      Response
                      232.135.221.88.in-addr.arpa
                      IN PTR
                      a88-221-135-232deploystaticakamaitechnologiescom
                    • flag-us
                      DNS
                      95.221.229.192.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      95.221.229.192.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      69.31.126.40.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      69.31.126.40.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      196.249.167.52.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      196.249.167.52.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      149.220.183.52.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      149.220.183.52.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      172.176.78.104.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      172.176.78.104.in-addr.arpa
                      IN PTR
                      Response
                      172.176.78.104.in-addr.arpa
                      IN PTR
                      a104-78-176-172deploystaticakamaitechnologiescom
                    • flag-us
                      DNS
                      50.134.221.88.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      50.134.221.88.in-addr.arpa
                      IN PTR
                      Response
                      50.134.221.88.in-addr.arpa
                      IN PTR
                      a88-221-134-50deploystaticakamaitechnologiescom
                    • flag-us
                      DNS
                      26.173.189.20.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      26.173.189.20.in-addr.arpa
                      IN PTR
                      Response
                    • 20.231.121.79:80
                      46 B
                       1
                    • 13.107.246.64:443
                      92 B
                       40 B
                       2
                      1
                    • 8.8.8.8:53
                      104.219.191.52.in-addr.arpa
                      dns
                      73 B
                       147 B
                       1
                      1

                      DNS Request

                      104.219.191.52.in-addr.arpa

                    • 8.8.8.8:53
                      240.221.184.93.in-addr.arpa
                      dns
                      73 B
                       144 B
                       1
                      1

                      DNS Request

                      240.221.184.93.in-addr.arpa

                    • 8.8.8.8:53
                      183.59.114.20.in-addr.arpa
                      dns
                      72 B
                       158 B
                       1
                      1

                      DNS Request

                      183.59.114.20.in-addr.arpa

                    • 8.8.8.8:53
                      18.31.95.13.in-addr.arpa
                      dns
                      70 B
                       144 B
                       1
                      1

                      DNS Request

                      18.31.95.13.in-addr.arpa

                    • 8.8.8.8:53
                      232.135.221.88.in-addr.arpa
                      dns
                      73 B
                       139 B
                       1
                      1

                      DNS Request

                      232.135.221.88.in-addr.arpa

                    • 8.8.8.8:53
                      95.221.229.192.in-addr.arpa
                      dns
                      73 B
                       144 B
                       1
                      1

                      DNS Request

                      95.221.229.192.in-addr.arpa

                    • 8.8.8.8:53
                      69.31.126.40.in-addr.arpa
                      dns
                      71 B
                       157 B
                       1
                      1

                      DNS Request

                      69.31.126.40.in-addr.arpa

                    • 8.8.8.8:53
                      196.249.167.52.in-addr.arpa
                      dns
                      73 B
                       147 B
                       1
                      1

                      DNS Request

                      196.249.167.52.in-addr.arpa

                    • 8.8.8.8:53
                      149.220.183.52.in-addr.arpa
                      dns
                      73 B
                       147 B
                       1
                      1

                      DNS Request

                      149.220.183.52.in-addr.arpa

                    • 8.8.8.8:53
                      172.176.78.104.in-addr.arpa
                      dns
                      73 B
                       139 B
                       1
                      1

                      DNS Request

                      172.176.78.104.in-addr.arpa

                    • 8.8.8.8:53
                      50.134.221.88.in-addr.arpa
                      dns
                      72 B
                       137 B
                       1
                      1

                      DNS Request

                      50.134.221.88.in-addr.arpa

                    • 8.8.8.8:53
                      26.173.189.20.in-addr.arpa
                      dns
                      72 B
                       158 B
                       1
                      1

                      DNS Request

                      26.173.189.20.in-addr.arpa

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                      Filesize

                      64KB

                      MD5

                      1d1bd01cd4d86fed30839c0d0f03a0b4

                      SHA1

                      93cf34ed1d187f7fa9c5ac9445b8c6be797d98d6

                      SHA256

                      a6cfcb0f9e99135f8e6d1c54c7e37c6de8abb6f8370708ed985833ba5ad0187d

                      SHA512

                      d435898eafae03d6c8b402cb224b8d86569714a8e10205128597d11320614237c83c0c295e128ef2ac86c954b2e4c330f3c2f50dc272a34f22e915b35b5b4dbf

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                      Filesize

                      36KB

                      MD5

                      b30d3becc8731792523d599d949e63f5

                      SHA1

                      19350257e42d7aee17fb3bf139a9d3adb330fad4

                      SHA256

                      b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

                      SHA512

                      523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                      Filesize

                      56KB

                      MD5

                      752a1f26b18748311b691c7d8fc20633

                      SHA1

                      c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

                      SHA256

                      111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

                      SHA512

                      a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

                      Download Submit

                    • memory/1432-150-0x000000000B660000-0x000000000B68A000-memory.dmp

                      Filesize

                      168KB

                      Download

                    We care about your privacy.

                    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.