cd2e413228a4c14519f09b7a5a661ff50dbc67402050ee946643017eae7c3838

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-04-2024 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e01ef0e3384f005f2179407dc9fe2801_JaffaCakes118.pdf
Size

97KB
MD5

e01ef0e3384f005f2179407dc9fe2801
SHA1

c9b24131610f83bae2b20bf4e636680b6d817a71
SHA256

cd2e413228a4c14519f09b7a5a661ff50dbc67402050ee946643017eae7c3838
SHA512

015ab1d3b1eef91ff35cd836cafda1e6bfec57d6536a29d0c8baa37cb6d789eca7fb86128848222b155dcada685df20ac9f96303b71045daae808d2e0db7ae8b
SSDEEP

3072:8ruW+hSywElFI/Z2ATRsP2c34vKHlVMM3JaF3Z:PSywJ/RTRozovQZi

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4076	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4076	AcroRd32.exe
4076	AcroRd32.exe
4076	AcroRd32.exe
4076	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 1968	4076	AcroRd32.exe	90
PID 4076 wrote to memory of 1968	4076	AcroRd32.exe	90
PID 4076 wrote to memory of 1968	4076	AcroRd32.exe	90
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 704	1968	RdrCEF.exe	92
PID 1968 wrote to memory of 4516	1968	RdrCEF.exe	93
PID 1968 wrote to memory of 4516	1968	RdrCEF.exe	93
PID 1968 wrote to memory of 4516	1968	RdrCEF.exe	93
PID 1968 wrote to memory of 4516	1968	RdrCEF.exe	93
PID 1968 wrote to memory of 4516	1968	RdrCEF.exe	93
PID 1968 wrote to memory of 4516	1968	RdrCEF.exe	93
PID 1968 wrote to memory of 4516	1968	RdrCEF.exe	93
PID 1968 wrote to memory of 4516	1968	RdrCEF.exe	93
PID 1968 wrote to memory of 4516	1968	RdrCEF.exe	93
PID 1968 wrote to memory of 4516	1968	RdrCEF.exe	93
PID 1968 wrote to memory of 4516	1968	RdrCEF.exe	93
PID 1968 wrote to memory of 4516	1968	RdrCEF.exe	93
PID 1968 wrote to memory of 4516	1968	RdrCEF.exe	93
PID 1968 wrote to memory of 4516	1968	RdrCEF.exe	93
PID 1968 wrote to memory of 4516	1968	RdrCEF.exe	93
PID 1968 wrote to memory of 4516	1968	RdrCEF.exe	93
PID 1968 wrote to memory of 4516	1968	RdrCEF.exe	93
PID 1968 wrote to memory of 4516	1968	RdrCEF.exe	93
PID 1968 wrote to memory of 4516	1968	RdrCEF.exe	93
PID 1968 wrote to memory of 4516	1968	RdrCEF.exe	93

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\e01ef0e3384f005f2179407dc9fe2801_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=504DBB465AB78B4C238F0DE82CD685E2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:704
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=55F3B98837C2B6EF3A66813EE5FC0791 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=55F3B98837C2B6EF3A66813EE5FC0791 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4516
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=624DBF8E2F5AC360F74169238F293F4F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=624DBF8E2F5AC360F74169238F293F4F --renderer-client-id=4 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2116
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=40173B53D178E75D3D5F02C13E1F63E7 --mojo-platform-channel-handle=2424 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3308
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=29C5E74557B674590A30B2A218D665F6 --mojo-platform-channel-handle=1900 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4780
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1D9A5A147282E3601D808E0A11923D06 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
9ef13730fb3c6f9ea08e6ded1863e87a

SHA1
a99b3593a1b7e957ea5d5351ddb386ac4e55b694

SHA256
c2f3db4780ef8a99502fc66390cb65fd6de9566e5de931ed9e722ec34a59380a

SHA512
92a219c6f7f2e2021702a47e2be7590218aaa7163dbd186de4070ad48f8b1a8632a53b89abb9ac85a36e647da815e8ba3519d3dd198d2ad79b36f9b070ede015

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
7109d59e8e9b563ad793ca3d28d79efb

SHA1
25f77ab79fdecd7c05540f80c49da92864ffd86b

SHA256
4db36e6e0f5293d136dbb2bf353ad9cc4876d2c3da6e4ae5adbd2568ddc595b5

SHA512
1da5d978017390b8f87f5958db64ec1d251976656fdf276e9b73dc52fa4918f5cf399cdc428d649a2473ad1e4ddf647e12803b5171601545f3e23f21cd949ada

Download Submit
memory/4076-30-0x000000000CB80000-0x000000000CBA1000-memory.dmp

Filesize
132KB

Download