4e64f709a7a047571af770674f458109cf8c3e9c789e3ae02e566383fa2dcdcd

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eac36357062267abacdfbc1f2191633e_JaffaCakes118.pdf
Size

88KB
MD5

eac36357062267abacdfbc1f2191633e
SHA1

6083505922387c1a3ffe0b03b893702bd8c13337
SHA256

4e64f709a7a047571af770674f458109cf8c3e9c789e3ae02e566383fa2dcdcd
SHA512

76edb51b042a607f56db29125dc1470f772e0322b001ac9359c53ee45c52190ec4ae4b1ec959f520ec17b13a6afd728097c53b499ccc65fc8a46a0e0c7edf34d
SSDEEP

1536:hkThIiKgZAaJrGOLzF65Wle699GDUrDZVt7O87eYE8KYU9mWwX9TibZ+jnJHWxAM:qTHkaJyOvF65Wle699S4ZVQc28Kx9WxG

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4584	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4584	AcroRd32.exe
4584	AcroRd32.exe
4584	AcroRd32.exe
4584	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 4968	4584	AcroRd32.exe	92
PID 4584 wrote to memory of 4968	4584	AcroRd32.exe	92
PID 4584 wrote to memory of 4968	4584	AcroRd32.exe	92
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 2996	4968	RdrCEF.exe	93
PID 4968 wrote to memory of 4000	4968	RdrCEF.exe	94
PID 4968 wrote to memory of 4000	4968	RdrCEF.exe	94
PID 4968 wrote to memory of 4000	4968	RdrCEF.exe	94
PID 4968 wrote to memory of 4000	4968	RdrCEF.exe	94
PID 4968 wrote to memory of 4000	4968	RdrCEF.exe	94
PID 4968 wrote to memory of 4000	4968	RdrCEF.exe	94
PID 4968 wrote to memory of 4000	4968	RdrCEF.exe	94
PID 4968 wrote to memory of 4000	4968	RdrCEF.exe	94
PID 4968 wrote to memory of 4000	4968	RdrCEF.exe	94
PID 4968 wrote to memory of 4000	4968	RdrCEF.exe	94
PID 4968 wrote to memory of 4000	4968	RdrCEF.exe	94
PID 4968 wrote to memory of 4000	4968	RdrCEF.exe	94
PID 4968 wrote to memory of 4000	4968	RdrCEF.exe	94
PID 4968 wrote to memory of 4000	4968	RdrCEF.exe	94
PID 4968 wrote to memory of 4000	4968	RdrCEF.exe	94
PID 4968 wrote to memory of 4000	4968	RdrCEF.exe	94
PID 4968 wrote to memory of 4000	4968	RdrCEF.exe	94
PID 4968 wrote to memory of 4000	4968	RdrCEF.exe	94
PID 4968 wrote to memory of 4000	4968	RdrCEF.exe	94
PID 4968 wrote to memory of 4000	4968	RdrCEF.exe	94

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\eac36357062267abacdfbc1f2191633e_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=33C1E32FD149D6F1D96E04E489AF1C26 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2996
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=75397B1725D241CD030BE7C251241767 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=75397B1725D241CD030BE7C251241767 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4000
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=72CE761807905D136F875C1430DFA2E7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=72CE761807905D136F875C1430DFA2E7 --renderer-client-id=4 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2072
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2209B71D36D4F759566CB70D7A77DC8E --mojo-platform-channel-handle=2444 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1916
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0B2775FDA9D8729366A5EF3032479E70 --mojo-platform-channel-handle=1944 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1944
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D04F4CA3AF3A2A2DA0B53F3B861477DA --mojo-platform-channel-handle=2732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
b1412ebbcbafa07e0445d43f128e280e

SHA1
e78ab5046ab0f53550781b2c0b0484005a005970

SHA256
028e99130611ef3461a933a356c26691c4d60fc98247f860c66cec1a1b7751f8

SHA512
e119590c0c29888c1d64ed189268f2c260c9249b61ac78f5dcf5a3125aaaadc95289f3ce76f3e7de7c64d0ab3c6b626e5f95b443f0b29e1b521a0ca8935117ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
8167298c947090378be3984dfd060125

SHA1
8fe98a7dc85103761f5abdf4eac6e7937a6ccadd

SHA256
a3ef97e812c3b81f58459fc76a54a7503e57cfc4ef8a34636d7020550f9304b5

SHA512
21ba4ce3ba988e20ba8df373608bd517e81b13ccb9afa2a7b3ce38d33bd460785cedc398c5b494f3b79f01d7b6c7f05132671de6affd072c39c4a29e7940aca7

Download Submit