6f6eec589fc7864c14eaeddc62110f2ed5e719320db5a2748e8d73e8ae7300fb

Analysis

max time kernel
141s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 00:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f91e7eac56fe41c61d042633e06aa623_JaffaCakes118.pdf
Size

57KB
MD5

f91e7eac56fe41c61d042633e06aa623
SHA1

568e30209061bfa98605e5d64a1f5fc622ea47ac
SHA256

6f6eec589fc7864c14eaeddc62110f2ed5e719320db5a2748e8d73e8ae7300fb
SHA512

4af135829f322acd86de75ab8a575e9edc922f489ed4e33d3704b5f9f85096282451fc2a4af4096653d1f8e34cf959b7b6637320b75fad3482dd56d08063fd27
SSDEEP

768:ufynW9rXkYtZ4QI12woyc3tI3SycMHO+ypuPSUqKvfQGaOGLLA4Xb190Ub1W7brl:ufyCXHa12ayI3Hc5TaqKHMOW9uTCynGE

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4716	AcroRd32.exe
4716	AcroRd32.exe
4716	AcroRd32.exe
4716	AcroRd32.exe
4716	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 3052	4716	AcroRd32.exe	84
PID 4716 wrote to memory of 3052	4716	AcroRd32.exe	84
PID 4716 wrote to memory of 3052	4716	AcroRd32.exe	84
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2084	3052	RdrCEF.exe	85
PID 3052 wrote to memory of 2524	3052	RdrCEF.exe	86
PID 3052 wrote to memory of 2524	3052	RdrCEF.exe	86
PID 3052 wrote to memory of 2524	3052	RdrCEF.exe	86
PID 3052 wrote to memory of 2524	3052	RdrCEF.exe	86
PID 3052 wrote to memory of 2524	3052	RdrCEF.exe	86
PID 3052 wrote to memory of 2524	3052	RdrCEF.exe	86
PID 3052 wrote to memory of 2524	3052	RdrCEF.exe	86
PID 3052 wrote to memory of 2524	3052	RdrCEF.exe	86
PID 3052 wrote to memory of 2524	3052	RdrCEF.exe	86
PID 3052 wrote to memory of 2524	3052	RdrCEF.exe	86
PID 3052 wrote to memory of 2524	3052	RdrCEF.exe	86
PID 3052 wrote to memory of 2524	3052	RdrCEF.exe	86
PID 3052 wrote to memory of 2524	3052	RdrCEF.exe	86
PID 3052 wrote to memory of 2524	3052	RdrCEF.exe	86
PID 3052 wrote to memory of 2524	3052	RdrCEF.exe	86
PID 3052 wrote to memory of 2524	3052	RdrCEF.exe	86
PID 3052 wrote to memory of 2524	3052	RdrCEF.exe	86
PID 3052 wrote to memory of 2524	3052	RdrCEF.exe	86
PID 3052 wrote to memory of 2524	3052	RdrCEF.exe	86
PID 3052 wrote to memory of 2524	3052	RdrCEF.exe	86

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\f91e7eac56fe41c61d042633e06aa623_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C95DA3CEFC870BB2DD6EBDB6424AA070 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2084
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4917D3197350808CE9FCB23FA3085890 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4917D3197350808CE9FCB23FA3085890 --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2524
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BC7CE648E17A596469F90FA59F470E6E --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2628
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C8D0853BD82BDEC8AE9394153D61A8C4 --mojo-platform-channel-handle=1944 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4920
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=86FB9CC15CB60D6AAFEF0F4DF90D9C2C --mojo-platform-channel-handle=1848 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
62b4b007287e359fb33ae5a2b20cb4f2

SHA1
01f07f8e272dd6ff739068ee6e5d068e7b33b9cb

SHA256
d3452e52ca080c0d1b4c673cddd0f0a6e0355804f0e25ad2af2120cc1b66c92a

SHA512
8af19df8523e61f51ad364b8623dec9dc08c99374b59ce94445ec72d4cd5dcd56b1d3543b4fb344a0c302be07cee80cdca0bb9b0cbff5009be9b61c3911f77d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
df11801396d6187407ff55f8ac4a802e

SHA1
f25175fe052ccb6b3d2d24665d6c38cba1ed820c

SHA256
589e9ea121648244aa46d8c12ee2c83a77bb9151b14d6f0fbbe0c827403af282

SHA512
f74b56738c6e6e7a130e742cb1255d9254719e7284dc47df10e003ca0af831bb2d06d10324ec5607480e4fdf3745cbd2ab577fba8b1ba60608a91f5da3fcc33a

Download Submit