0b73994ef7a4040b0663b781ba6af3c0dc5e5cf318fa07ec0414853521b5b1cb

Analysis

max time kernel
141s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2e173af1296082f3a9a24d8b226fb7b_JaffaCakes118.pdf
Size

86KB
MD5

f2e173af1296082f3a9a24d8b226fb7b
SHA1

fd4beba4c04467663881c0adf74c493f91ecbce6
SHA256

0b73994ef7a4040b0663b781ba6af3c0dc5e5cf318fa07ec0414853521b5b1cb
SHA512

c3f334bba3cce40081d700e53730cc6484fb8f09431614e64f015ede99483b3b89fa8ec492a2c2d159ef042166c793e6b89ebac5926397551da1f0c23b7fa653
SSDEEP

1536:rEJS7nis5maHtp5XkkaW3J8TCXgx0oFLXM05lmSfWjTkbW8pO77q02x:AJSziomi3J8TCXgxX8ElmSOkm7WF

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4356	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4356	AcroRd32.exe
4356	AcroRd32.exe
4356	AcroRd32.exe
4356	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 3832	4356	AcroRd32.exe	92
PID 4356 wrote to memory of 3832	4356	AcroRd32.exe	92
PID 4356 wrote to memory of 3832	4356	AcroRd32.exe	92
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 1892	3832	RdrCEF.exe	93
PID 3832 wrote to memory of 3080	3832	RdrCEF.exe	94
PID 3832 wrote to memory of 3080	3832	RdrCEF.exe	94
PID 3832 wrote to memory of 3080	3832	RdrCEF.exe	94
PID 3832 wrote to memory of 3080	3832	RdrCEF.exe	94
PID 3832 wrote to memory of 3080	3832	RdrCEF.exe	94
PID 3832 wrote to memory of 3080	3832	RdrCEF.exe	94
PID 3832 wrote to memory of 3080	3832	RdrCEF.exe	94
PID 3832 wrote to memory of 3080	3832	RdrCEF.exe	94
PID 3832 wrote to memory of 3080	3832	RdrCEF.exe	94
PID 3832 wrote to memory of 3080	3832	RdrCEF.exe	94
PID 3832 wrote to memory of 3080	3832	RdrCEF.exe	94
PID 3832 wrote to memory of 3080	3832	RdrCEF.exe	94
PID 3832 wrote to memory of 3080	3832	RdrCEF.exe	94
PID 3832 wrote to memory of 3080	3832	RdrCEF.exe	94
PID 3832 wrote to memory of 3080	3832	RdrCEF.exe	94
PID 3832 wrote to memory of 3080	3832	RdrCEF.exe	94
PID 3832 wrote to memory of 3080	3832	RdrCEF.exe	94
PID 3832 wrote to memory of 3080	3832	RdrCEF.exe	94
PID 3832 wrote to memory of 3080	3832	RdrCEF.exe	94
PID 3832 wrote to memory of 3080	3832	RdrCEF.exe	94

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\f2e173af1296082f3a9a24d8b226fb7b_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3DC36631FD55AE5A1A2AF63C06ACE1ED --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1892
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5AA32FE177A7BB9161BF457880EB435A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5AA32FE177A7BB9161BF457880EB435A --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3080
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2E2FEE7A45B1A9AC86F88C6D5A1DE97B --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1536
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FA26ED1B5274F90AF2517F3E8585DB97 --mojo-platform-channel-handle=1924 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3196
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9A4ED2023C7093B9AB15523865599F28 --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:628
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=ABABC9A6535C982AA62E5DCE4BCFD917 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=ABABC9A6535C982AA62E5DCE4BCFD917 --renderer-client-id=7 --mojo-platform-channel-handle=2448 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
2cf8185f10012542d68c759e4727dfa3

SHA1
c27b11b731b7a2052804e5b83b605782fa703ef9

SHA256
aa2617344c830e0413c4be68d3670bd1161ca1ae9cba0d270f9da313521fa369

SHA512
b7cb4a4f75fa6d03c8b309aeae35c7d9cc9edb1a749ffb43ff1260edea41d6acdcda932a877e06de2fc162d33fea12838e74278d6b24bc183a2a494a785cd5a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
784d0fa91d8ff3335452e93417886ec7

SHA1
8e6075bb8760c02f07775ff9fe22eb15840550c7

SHA256
b0587cb584129d0ce7113f13647af684807f7dbf4a7fc57a0ab3a5ca657eff2a

SHA512
6f231b772d5dcb38c90bd776db7a31db3d441ba377a1335290d4ac8c715264689feb331f00da065e775ab5a3e1f9bf7fd7da732b9aae5bcd1769fb92a543599b

Download Submit
memory/4356-30-0x000000000B090000-0x000000000B0B1000-memory.dmp

Filesize
132KB

Download
memory/4356-29-0x000000000B090000-0x000000000B0E0000-memory.dmp

Filesize
320KB

Download