njrat | 84609f9e443225a23cca8ab6be910c207d220bb430fd543d0724eaae8f7df592

General

Target

fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe
Size

801KB
MD5

fcae8c3823eecebb9b8e0f9f2b9eeb89
SHA1

53c49e7458363a22180916f30e6d945081b20d83
SHA256

84609f9e443225a23cca8ab6be910c207d220bb430fd543d0724eaae8f7df592
SHA512

e92b5187e95a78c7a13f77e36aa9b0c2c144a6404ac6071902fa9e91304f9fb4a2e0c5c56b6accacde432d0626e1f8be00eeb4befa76936c8fbf5eb81c84b480
SSDEEP

24576:ANA3R5drXPrfHh2bQA53HU+tV9iKOcuiLbGD:55j2Z1z9b0

Score

10^/10

njrat gold link pdf trojan

Malware Config

Extracted

Family

njrat

Version

20

Botnet

gold

C2

149.248.52.61:87

Mutex

165d6ed988ac

Attributes

reg_key
165d6ed988ac
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

winonet.exe

pid process

3376 winonet.exe

pid	process
3376	winonet.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\director_general_level_border_coordination_conference.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings	fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exe

pid	process
2644	AcroRd32.exe
2644	AcroRd32.exe
2644	AcroRd32.exe
2644	AcroRd32.exe
2644	AcroRd32.exe
2644	AcroRd32.exe
2644	AcroRd32.exe
2644	AcroRd32.exe
2644	AcroRd32.exe
2644	AcroRd32.exe
2644	AcroRd32.exe
2644	AcroRd32.exe
2644	AcroRd32.exe
2644	AcroRd32.exe
2644	AcroRd32.exe
2644	AcroRd32.exe
2644	AcroRd32.exe
2644	AcroRd32.exe
2644	AcroRd32.exe
2644	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

winonet.exe

description pid process

Token: SeDebugPrivilege 3376 winonet.exe
Token: 33 3376 winonet.exe
Token: SeIncBasePriorityPrivilege 3376 winonet.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2644 AcroRd32.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exe

pid process

2644 AcroRd32.exe
2644 AcroRd32.exe
2644 AcroRd32.exe
2644 AcroRd32.exe
2644 AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	3376	winonet.exe
Token: 33	3376	winonet.exe
Token: SeIncBasePriorityPrivilege	3376	winonet.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2936 wrote to memory of 3376	2936	fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe	winonet.exe
PID 2936 wrote to memory of 3376	2936	fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe	winonet.exe
PID 2936 wrote to memory of 3376	2936	fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe	winonet.exe
PID 2936 wrote to memory of 3864	2936	fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe	WScript.exe
PID 2936 wrote to memory of 3864	2936	fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe	WScript.exe
PID 2936 wrote to memory of 3864	2936	fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe	WScript.exe
PID 2936 wrote to memory of 2644	2936	fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe	AcroRd32.exe
PID 2936 wrote to memory of 2644	2936	fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe	AcroRd32.exe
PID 2936 wrote to memory of 2644	2936	fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe	AcroRd32.exe
PID 2644 wrote to memory of 5092	2644	AcroRd32.exe	RdrCEF.exe
PID 2644 wrote to memory of 5092	2644	AcroRd32.exe	RdrCEF.exe
PID 2644 wrote to memory of 5092	2644	AcroRd32.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2288	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2804	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2804	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2804	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2804	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2804	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2804	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2804	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2804	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2804	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2804	5092	RdrCEF.exe	RdrCEF.exe
PID 5092 wrote to memory of 2804	5092	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2936

C:\Users\Admin\AppData\Roaming\winonet.exe
"C:\Users\Admin\AppData\Roaming\winonet.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\r.vbs"
2⤵
PID:3864

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\director_general_level_border_coordination_conference.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:5092

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7A5F46B3279FB8ED9F3061D4355AA5F9 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2288

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F8CF1B8D0DD1E0745C5AEE6A66D844FD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F8CF1B8D0DD1E0745C5AEE6A66D844FD --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
4⤵
PID:2804

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=62239FF3BF324B1C2607182832237CB8 --mojo-platform-channel-handle=2176 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2996

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=920085A8C00F482D932B9A3595DE6D6C --mojo-platform-channel-handle=1992 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:400

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5D7E9B55ABBF8BEB38E66848C3BD349B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5D7E9B55ABBF8BEB38E66848C3BD349B --renderer-client-id=6 --mojo-platform-channel-handle=1996 --allow-no-sandbox-job /prefetch:1
4⤵
PID:4720

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3F893C94324AB236BC4715A1C74A79E5 --mojo-platform-channel-handle=1844 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
abd4e4e79d0184a5c34f463d68933631

SHA1
637869772628af109b6b3859326fbe9b719166a3

SHA256
039d9e87eb413655a5b4d8cb11825824162982200a16668dee0eaa07d592a700

SHA512
5555bdf475890dafe649d0d18ec7aa8094bd02349d7500ccbb64c6fb825bdd0fc8dee8d6a06bb0d8e3234b0f2a195a9759c4c818efaa70105c644810076a9db4

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Roaming\director_general_level_border_coordination_conference.pdf
Filesize
509KB

MD5
a13d8216dc256824b1c1ba7760752b26

SHA1
c90d057cfd7e1d42771ff1b6825e91a195a66e23

SHA256
1fa89a308f870a441042d1a1ffc0be0e791a843992a22b5ee142343684c171ad

SHA512
d1506906265a3a5de6c6c95df54a7b48fd1d16941ae6f0fb7b2f06fb83cfe6fda48d145ab0a9525dc6581abd29d44b5b44a01209e94f64d58f55a3c68a527316

Download Submit
C:\Users\Admin\AppData\Roaming\r.vbs
Filesize
1KB

MD5
052999da1fd40e27f72f97a1792f1c5a

SHA1
5cd7344606b78bebf071bfdb458ac90b2c328adc

SHA256
2545fcbee4cdb94cac171f8242bcfe1b2cdd048864c6f47ce0386d701918104e

SHA512
54dfd468414f6125b268d329cf9b10bb347f18d6eb3c822664f138fa2d1251c54a1221979b21f72bbb64db827d50e3ba2dd4c89fe1b9a2f50a3f7f68183c0ab7

Download Submit
C:\Users\Admin\AppData\Roaming\winonet.exe
Filesize
22KB

MD5
d66fac100b4268ce1451c8b5dc2a8817

SHA1
2e567a9fbac1955a485ba2d6a86700b09362eecc

SHA256
eb688e9d721c561fe334147c66679bbd988da10c06704a15f048b97a9f6b0f7f

SHA512
f71f538c432147d29ab126dc15a872333867f3fdaa84f8a5b266817390f618e5fb0e2304b5e0d0c859488f79ff45c14fc79adbc1d7fe65ee18693f196ec95356

Download Submit
memory/2644-164-0x000000000D3C0000-0x000000000D66B000-memory.dmp

Filesize
2.7MB

Download
memory/2644-53-0x000000000A570000-0x000000000A591000-memory.dmp

Filesize
132KB

Download
memory/3376-22-0x0000000073040000-0x00000000737F0000-memory.dmp

Filesize
7.7MB

Download
memory/3376-51-0x0000000004A90000-0x0000000004B2C000-memory.dmp

Filesize
624KB

Download
memory/3376-21-0x0000000004FA0000-0x0000000005544000-memory.dmp

Filesize
5.6MB

Download
memory/3376-150-0x0000000004C40000-0x0000000004CD2000-memory.dmp

Filesize
584KB

Download
memory/3376-157-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/3376-158-0x0000000073040000-0x00000000737F0000-memory.dmp

Filesize
7.7MB

Download
memory/3376-159-0x0000000004EF0000-0x0000000004EFA000-memory.dmp

Filesize
40KB

Download
memory/3376-20-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/3376-173-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads