48f1c8b10ef2af981915080ffd80ba1e3316b6097f6d84b23ec35a3ea1cce411

Analysis

max time kernel
158s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09114c35b28e96d24e5a7a231dddeca6_JaffaCakes118.pdf
Size

90KB
MD5

09114c35b28e96d24e5a7a231dddeca6
SHA1

b11c657dc11a662652ae99fb71bb1e40fc963c11
SHA256

48f1c8b10ef2af981915080ffd80ba1e3316b6097f6d84b23ec35a3ea1cce411
SHA512

077e4afecf575cac6de90c4b9cf48bfc150406c6c8b9a24bbffba82bb969ec368692d6a62a76a6e5d79ab9ff31a4e1e15fd9935bebb462aeacb30903d8e437d6
SSDEEP

1536:AKeRpWmQo5/duEMb0Zzl/QmG8BdRPW9YL7BQ6WmpOS8+8WCrS+Z:6Rpd55/sB05lvGQdN7BQHS5ZC9

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
384	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe
384	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 1492	384	AcroRd32.exe	89
PID 384 wrote to memory of 1492	384	AcroRd32.exe	89
PID 384 wrote to memory of 1492	384	AcroRd32.exe	89
PID 384 wrote to memory of 3776	384	AcroRd32.exe	94
PID 384 wrote to memory of 3776	384	AcroRd32.exe	94
PID 384 wrote to memory of 3776	384	AcroRd32.exe	94
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 2488	1492	RdrCEF.exe	95
PID 1492 wrote to memory of 3636	1492	RdrCEF.exe	96
PID 1492 wrote to memory of 3636	1492	RdrCEF.exe	96
PID 1492 wrote to memory of 3636	1492	RdrCEF.exe	96
PID 1492 wrote to memory of 3636	1492	RdrCEF.exe	96
PID 1492 wrote to memory of 3636	1492	RdrCEF.exe	96
PID 1492 wrote to memory of 3636	1492	RdrCEF.exe	96
PID 1492 wrote to memory of 3636	1492	RdrCEF.exe	96
PID 1492 wrote to memory of 3636	1492	RdrCEF.exe	96
PID 1492 wrote to memory of 3636	1492	RdrCEF.exe	96
PID 1492 wrote to memory of 3636	1492	RdrCEF.exe	96
PID 1492 wrote to memory of 3636	1492	RdrCEF.exe	96
PID 1492 wrote to memory of 3636	1492	RdrCEF.exe	96
PID 1492 wrote to memory of 3636	1492	RdrCEF.exe	96
PID 1492 wrote to memory of 3636	1492	RdrCEF.exe	96
PID 1492 wrote to memory of 3636	1492	RdrCEF.exe	96

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\09114c35b28e96d24e5a7a231dddeca6_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:384
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=FB753844107EEC9C39F4EEE4222993F3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=FB753844107EEC9C39F4EEE4222993F3 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2488
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A0C9FA34C14B592AF0FC4F53C5961719 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3636
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=63C34FC2C13881F1465DA44F53A191A4 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=63C34FC2C13881F1465DA44F53A191A4 --renderer-client-id=4 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4828
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=813546C281BB4F1396C24319FC4F0653 --mojo-platform-channel-handle=2432 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2476
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=416962AFF559886BC32214F8519E378E --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4624
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9545D2A6AF5058351BC3DB5C1B6FB6E0 --mojo-platform-channel-handle=1988 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4132
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  PID:3776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
56ca1cf84e2d20064fd6403a12b801d3

SHA1
961dd94650bf0e025071d49b5c572cce8d8b3c79

SHA256
7aef1b83fa16bf060f63a1d916ab8308e5149fc714cee536fbf5671802e9ea47

SHA512
c5b622ea25181633c10d5d127ed2f5002648d295cfb41481457c842a8ec8aa256c1ec187b7abec8fc8836a8510ab45681369a9918f5b10d754539f88bd662762

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
2f4e82f6757a1a353e98e20891654ba8

SHA1
96bf87bbc056aa01fe6951b9126fce56a77edbb2

SHA256
cd9103383839c13a5eb126becd1bc2d728d4ef6f4d39c3f18cab9c125000b007

SHA512
9444bc8725348e0f90c53bd2e9071e1f7fbbc417b89c4b6bc6c7285f14302e97efd793b8a435c10c620ee4ca60484551b52895f15b0a94600cf5d63e43b13310

Download Submit