27594326bdc7513567d283ef3f708a938bac9285cc6ec422ed95af7d07ff3bfb

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2024, 23:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c52d7a197e1ff9e0d4754338417f733d_JaffaCakes118.pdf
Size

71KB
MD5

c52d7a197e1ff9e0d4754338417f733d
SHA1

a85bc73a566d9c716d641e54f5e0f85d840171a0
SHA256

27594326bdc7513567d283ef3f708a938bac9285cc6ec422ed95af7d07ff3bfb
SHA512

554bedc5b3f53420ba44c1e675c3b028ba5a55a0b62a27585bf7635a70dec4dd7a38ecb4a8ea9e4162158fe6000d19e17457f76c942c890cf67526ee73a471a1
SSDEEP

1536:CjvpNT/J3qAGIjDMa+MEP8G/F4RWGpOKBVdiEhWUR6V20cEWUzt1:SnJ3OIUa+VP8G/RKFiE9RW20UUX

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2160	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2160	AcroRd32.exe
2160	AcroRd32.exe
2160	AcroRd32.exe
2160	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 1620	2160	AcroRd32.exe	91
PID 2160 wrote to memory of 1620	2160	AcroRd32.exe	91
PID 2160 wrote to memory of 1620	2160	AcroRd32.exe	91
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 3972	1620	RdrCEF.exe	94
PID 1620 wrote to memory of 1896	1620	RdrCEF.exe	95
PID 1620 wrote to memory of 1896	1620	RdrCEF.exe	95
PID 1620 wrote to memory of 1896	1620	RdrCEF.exe	95
PID 1620 wrote to memory of 1896	1620	RdrCEF.exe	95
PID 1620 wrote to memory of 1896	1620	RdrCEF.exe	95
PID 1620 wrote to memory of 1896	1620	RdrCEF.exe	95
PID 1620 wrote to memory of 1896	1620	RdrCEF.exe	95
PID 1620 wrote to memory of 1896	1620	RdrCEF.exe	95
PID 1620 wrote to memory of 1896	1620	RdrCEF.exe	95
PID 1620 wrote to memory of 1896	1620	RdrCEF.exe	95
PID 1620 wrote to memory of 1896	1620	RdrCEF.exe	95
PID 1620 wrote to memory of 1896	1620	RdrCEF.exe	95
PID 1620 wrote to memory of 1896	1620	RdrCEF.exe	95
PID 1620 wrote to memory of 1896	1620	RdrCEF.exe	95
PID 1620 wrote to memory of 1896	1620	RdrCEF.exe	95
PID 1620 wrote to memory of 1896	1620	RdrCEF.exe	95
PID 1620 wrote to memory of 1896	1620	RdrCEF.exe	95
PID 1620 wrote to memory of 1896	1620	RdrCEF.exe	95
PID 1620 wrote to memory of 1896	1620	RdrCEF.exe	95
PID 1620 wrote to memory of 1896	1620	RdrCEF.exe	95

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\c52d7a197e1ff9e0d4754338417f733d_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1458692DB18F31EFF312B0D2C56478FC --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3972
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=766B53F32364BF38DEC3552938A8E5F7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=766B53F32364BF38DEC3552938A8E5F7 --renderer-client-id=2 --mojo-platform-channel-handle=1680 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1896
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=29A96B5AAC667E7BBA2CAC1F38EA2939 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1412
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DBE6DC0E9663D656ABC3A915C16EB9D8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DBE6DC0E9663D656ABC3A915C16EB9D8 --renderer-client-id=5 --mojo-platform-channel-handle=1952 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2392
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BBC6C0A74FD18AC9E9C1A7CF05D23F3F --mojo-platform-channel-handle=1920 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1708
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EC159EAEB3CF35CC46F3A546D8470B8D --mojo-platform-channel-handle=2412 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
7d0b7d8d331d85e0c5a3fcb56cad1c21

SHA1
df21ad37a13690ad45329661b668768fdd0cc4a5

SHA256
7a62589a483dff1baa59c32af78c112758d7be2b2c94f0f3f1b3b52627704029

SHA512
90a6de5bdc288e0c5c8d418c1cca38015592ec940b56460b5ae3294cfc6f4ac3593dbfb7e0a619447898975416b2973e6ed3ed8581b17633dc0050da780b8bbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
647abcd9d0f0d7d8559e40223f713087

SHA1
76aed22bdce15c51844ee751f9ebf8756d033f51

SHA256
f4b37b008c7363929b28041fd685e9cf22104868694cacb272225c486a4b1482

SHA512
7d85263a474b6b2b28685768a111a2a82ad0ef3122506a5a1dffff3bb7cebd703a8bc096402087e737812a21a52b29d20ee1134e5c5229613646ce569f307dc7

Download Submit
memory/2160-31-0x000000000B200000-0x000000000B221000-memory.dmp

Filesize
132KB

Download