21ae7d6774a626bdce8700d78a9fa13536d59c0f4a0f4bc13a35bd6b3cf6f096

Analysis

max time kernel
142s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 08:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f9de0741cdb0ca6eb77cb7ade0ee7209_JaffaCakes118.pdf
Size

90KB
MD5

f9de0741cdb0ca6eb77cb7ade0ee7209
SHA1

4879915be7b7e7ba32d42eb65fef321bcbef5ee9
SHA256

21ae7d6774a626bdce8700d78a9fa13536d59c0f4a0f4bc13a35bd6b3cf6f096
SHA512

3af4ab98b87e8155034e5e814a540417bd30be5a53916fefbb7f5c7b334720ea4a8f6ed9da1876fa6a8001b1b3673cd04dca9403b6a78cb188b2c9ccc562e917
SSDEEP

1536:voifHE8KM4PJLnz8W0Prvq1sZ/5e4c9LzWypOlWWxX50usmDCvIY:g2BKM4P1ObMKs4cRslDX5VsNP

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5076	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5076	AcroRd32.exe
5076	AcroRd32.exe
5076	AcroRd32.exe
5076	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 4168	5076	AcroRd32.exe	92
PID 5076 wrote to memory of 4168	5076	AcroRd32.exe	92
PID 5076 wrote to memory of 4168	5076	AcroRd32.exe	92
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 4356	4168	RdrCEF.exe	93
PID 4168 wrote to memory of 3488	4168	RdrCEF.exe	94
PID 4168 wrote to memory of 3488	4168	RdrCEF.exe	94
PID 4168 wrote to memory of 3488	4168	RdrCEF.exe	94
PID 4168 wrote to memory of 3488	4168	RdrCEF.exe	94
PID 4168 wrote to memory of 3488	4168	RdrCEF.exe	94
PID 4168 wrote to memory of 3488	4168	RdrCEF.exe	94
PID 4168 wrote to memory of 3488	4168	RdrCEF.exe	94
PID 4168 wrote to memory of 3488	4168	RdrCEF.exe	94
PID 4168 wrote to memory of 3488	4168	RdrCEF.exe	94
PID 4168 wrote to memory of 3488	4168	RdrCEF.exe	94
PID 4168 wrote to memory of 3488	4168	RdrCEF.exe	94
PID 4168 wrote to memory of 3488	4168	RdrCEF.exe	94
PID 4168 wrote to memory of 3488	4168	RdrCEF.exe	94
PID 4168 wrote to memory of 3488	4168	RdrCEF.exe	94
PID 4168 wrote to memory of 3488	4168	RdrCEF.exe	94
PID 4168 wrote to memory of 3488	4168	RdrCEF.exe	94
PID 4168 wrote to memory of 3488	4168	RdrCEF.exe	94
PID 4168 wrote to memory of 3488	4168	RdrCEF.exe	94
PID 4168 wrote to memory of 3488	4168	RdrCEF.exe	94
PID 4168 wrote to memory of 3488	4168	RdrCEF.exe	94

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\f9de0741cdb0ca6eb77cb7ade0ee7209_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=ABCFB79815377E93036B65ED918D5AFF --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4356
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1A01523A64E3D2628F82AE22FD2AA50D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1A01523A64E3D2628F82AE22FD2AA50D --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3488
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EDABDCAE596E81B4F16CE0CEC11A78B9 --mojo-platform-channel-handle=2288 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4064
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=620F98EA5DCC33E59A5AF4D94A16BDBE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=620F98EA5DCC33E59A5AF4D94A16BDBE --renderer-client-id=5 --mojo-platform-channel-handle=1832 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3700
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=66143026E116701108AAA79987595F48 --mojo-platform-channel-handle=2576 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2132
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FBB85A5F53E4996DFABBE0E2094C6E61 --mojo-platform-channel-handle=2380 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
223b8e2b89cce31dfc84495d8a24b8fa

SHA1
fae93ba282ca9e0d7a9f98053c440d524e9c6ac6

SHA256
3c1ff5f0a0953af6e130a5331b9d03efae6f148fe18fbef9afb173ca2e53356b

SHA512
c6fccbd60c34f8b1d4fd92c50d3524c11edbeb8ae03ebe474d391e7a83c96137d9ffab6787c5dd0c441635e4696c150952429cacaaf1dd987df80556e76d2da4

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
82a7c2189919bd76011b09f2b960fc64

SHA1
34509dc13f89775486acc6b894871a271d01e199

SHA256
977861329b51d95661c8ff15793255a854581389055f017ba2bb95d8cd388c78

SHA512
e7a81d16c76b152102721c873eab3295574899e3500a9fe1333b8e3b5694f4092da33849b4a658ea2b03465400424c4a92d0ffdd7a193f00a4dca922c7f8cb38

Download Submit
memory/5076-29-0x000000000BC90000-0x000000000BCE0000-memory.dmp

Filesize
320KB

Download
memory/5076-31-0x000000000BC90000-0x000000000BCB1000-memory.dmp

Filesize
132KB

Download