2e2c3b29f6c3efd9a477f08b6cebacea08360ecbf1043434cdc84aea4e0514ca

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2024 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc9ec8821671b474190386d426bfcb86_JaffaCakes118.pdf
Size

72KB
MD5

bc9ec8821671b474190386d426bfcb86
SHA1

42f1ba6f273d666b1c236c268515bbb47b6784d9
SHA256

2e2c3b29f6c3efd9a477f08b6cebacea08360ecbf1043434cdc84aea4e0514ca
SHA512

6e0e424d4d088ac8411b486437d933bf731ad920736fb07c629d7c65e7cd001173a19bf8529f5243527240d26b29e38072e44ec1daf7167e4a1b5bcfda9ae07b
SSDEEP

1536:nHVky7rKAoTfSsEmsaUfeOMlrVjMgDbLGA9GWD4Prdu3QTWOpO:1kor+bwmVOMlrVjMkLGjPTI

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3204	AcroRd32.exe
3204	AcroRd32.exe
3204	AcroRd32.exe
3204	AcroRd32.exe
3204	AcroRd32.exe
3204	AcroRd32.exe
3204	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 4864	3204	AcroRd32.exe	90
PID 3204 wrote to memory of 4864	3204	AcroRd32.exe	90
PID 3204 wrote to memory of 4864	3204	AcroRd32.exe	90
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 4908	4864	RdrCEF.exe	93
PID 4864 wrote to memory of 2008	4864	RdrCEF.exe	94
PID 4864 wrote to memory of 2008	4864	RdrCEF.exe	94
PID 4864 wrote to memory of 2008	4864	RdrCEF.exe	94
PID 4864 wrote to memory of 2008	4864	RdrCEF.exe	94
PID 4864 wrote to memory of 2008	4864	RdrCEF.exe	94
PID 4864 wrote to memory of 2008	4864	RdrCEF.exe	94
PID 4864 wrote to memory of 2008	4864	RdrCEF.exe	94
PID 4864 wrote to memory of 2008	4864	RdrCEF.exe	94
PID 4864 wrote to memory of 2008	4864	RdrCEF.exe	94
PID 4864 wrote to memory of 2008	4864	RdrCEF.exe	94
PID 4864 wrote to memory of 2008	4864	RdrCEF.exe	94
PID 4864 wrote to memory of 2008	4864	RdrCEF.exe	94
PID 4864 wrote to memory of 2008	4864	RdrCEF.exe	94
PID 4864 wrote to memory of 2008	4864	RdrCEF.exe	94
PID 4864 wrote to memory of 2008	4864	RdrCEF.exe	94
PID 4864 wrote to memory of 2008	4864	RdrCEF.exe	94
PID 4864 wrote to memory of 2008	4864	RdrCEF.exe	94
PID 4864 wrote to memory of 2008	4864	RdrCEF.exe	94
PID 4864 wrote to memory of 2008	4864	RdrCEF.exe	94
PID 4864 wrote to memory of 2008	4864	RdrCEF.exe	94

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\bc9ec8821671b474190386d426bfcb86_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=24F788D0B0548FB41C41F3367C546BAB --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4908
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A3CC7325F219727C4882030E0187B5D8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A3CC7325F219727C4882030E0187B5D8 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2008
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FF1B8E1A6A6FD3FE5AAC3C3865EC842E --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3840
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=463844FE7EFBB73808A155A6490ED01B --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:860
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D7C213EF1EC8F46DB312141D5C63B827 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D7C213EF1EC8F46DB312141D5C63B827 --renderer-client-id=6 --mojo-platform-channel-handle=2148 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4956
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=006BE5F7D5273B85A45135DE6D30796C --mojo-platform-channel-handle=2344 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
3728ad91865165f1667f09007537c22f

SHA1
59ba10e96dcc541102eb4a82f3460b732635040c

SHA256
2d3492233de441effa988719456841d6756ca1775081f7db0624e77f72f95082

SHA512
fd8b2aa30f1ccb09a18ee7ad5fb5b92eff97d4fe98e3b76c1b68eab72b3581e4160a3605ae59bc14471d6e71263ffb87143412b3a73ab33694f5d8caf1a00ef4

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
20838e0a7bb134910c04368c678e5638

SHA1
9989d1523e97eb5ddf63672f9561186e9d039084

SHA256
588e648246dbc0f2a4f97d6e885ff4bf50eaa2d46aa1f8ba8452e1492fdd2160

SHA512
194c3ae0287e048e8cf61a6b46175a2354fe03656ba7a32f05638e51b34737a82c29a46129a17864234d5dc4d46e7438511a0b0b54fd426d0564bf2964e9498a

Download Submit