97c3a518f31f839ff60a0306f654cb48018d9c039e017500374d935df68c4f6f

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 15:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

251b2aa865438eed976e5070d5b8d2d5_JaffaCakes118.pdf
Size

83KB
MD5

251b2aa865438eed976e5070d5b8d2d5
SHA1

0a183806c0ad14d9d384a05718a00ed220940ea6
SHA256

97c3a518f31f839ff60a0306f654cb48018d9c039e017500374d935df68c4f6f
SHA512

d329de31b57f968b5a77fbfc24cf08a156851de67d1bd19f92339fa575a628100af6af14253021083bbbdd83434a1d538f3d84a7b77992f6c239af2f52d5d4e0
SSDEEP

1536:82mT0Lz0ponQFzkXu8YzGOCQyJZfOryQnk07WBlcj+6U8tuVBUeW801+Ksdw4EWy:k00phzkXOSOCCyQk07Wnj6UJVytvsdwd

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1612	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1612	AcroRd32.exe
1612	AcroRd32.exe
1612	AcroRd32.exe
1612	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1540	1612	AcroRd32.exe	89
PID 1612 wrote to memory of 1540	1612	AcroRd32.exe	89
PID 1612 wrote to memory of 1540	1612	AcroRd32.exe	89
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 1940	1540	RdrCEF.exe	90
PID 1540 wrote to memory of 4908	1540	RdrCEF.exe	91
PID 1540 wrote to memory of 4908	1540	RdrCEF.exe	91
PID 1540 wrote to memory of 4908	1540	RdrCEF.exe	91
PID 1540 wrote to memory of 4908	1540	RdrCEF.exe	91
PID 1540 wrote to memory of 4908	1540	RdrCEF.exe	91
PID 1540 wrote to memory of 4908	1540	RdrCEF.exe	91
PID 1540 wrote to memory of 4908	1540	RdrCEF.exe	91
PID 1540 wrote to memory of 4908	1540	RdrCEF.exe	91
PID 1540 wrote to memory of 4908	1540	RdrCEF.exe	91
PID 1540 wrote to memory of 4908	1540	RdrCEF.exe	91
PID 1540 wrote to memory of 4908	1540	RdrCEF.exe	91
PID 1540 wrote to memory of 4908	1540	RdrCEF.exe	91
PID 1540 wrote to memory of 4908	1540	RdrCEF.exe	91
PID 1540 wrote to memory of 4908	1540	RdrCEF.exe	91
PID 1540 wrote to memory of 4908	1540	RdrCEF.exe	91
PID 1540 wrote to memory of 4908	1540	RdrCEF.exe	91
PID 1540 wrote to memory of 4908	1540	RdrCEF.exe	91
PID 1540 wrote to memory of 4908	1540	RdrCEF.exe	91

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\251b2aa865438eed976e5070d5b8d2d5_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8AB6ED2BC7F7B1D56333BC161314021F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8AB6ED2BC7F7B1D56333BC161314021F --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1940
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7B59D2CDB3FFA7D7A45337E7E8A208A3 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4908
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7D46A1E30628CFEE1B5A46073E27DF2F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7D46A1E30628CFEE1B5A46073E27DF2F --renderer-client-id=4 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1568
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5CC41DB0038F85934808F7A4BE642C15 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:320
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1C2762B6BA6FE3C14A71694DFAF26797 --mojo-platform-channel-handle=2644 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2372
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=322730F1D1731CBEADA893DD30379F5F --mojo-platform-channel-handle=2100 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
0c3c143f89cf7e93c4dc450610ec254d

SHA1
0c747cb22e9fc44042878e7a8d00453544bd8056

SHA256
b31f74dbbadd8175bf7d3b8cc5b6343debb04d2edb9d695b0b17c066670b0c0c

SHA512
3c5689ca7eabd0b528dc99e3502902d00319fe295670252704df451c9733c6bc9d09921c1bdb7d8279866e6d201c53fe84cb0db337329775f1325b2208788b62

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
449d1e5d46cbdc76eda7805922cdf134

SHA1
ad229bf9cd6848a55523436c57e95bc121fe7867

SHA256
93909b7c2ca402e54a0b69911c0348996fff52e929cd88322502157744df3058

SHA512
4c66c65c29a00a790c0a20a70e568b268c958b56ca585f504f3115d28dc422f4bb6267d3c67cd57b57aa641ba5c8a5bbee72dd359444c27c7b61a6fde427f38a

Download Submit
memory/1612-31-0x000000000B880000-0x000000000B8A1000-memory.dmp

Filesize
132KB

Download