4a19a153544c76c78a29fbc2a8cf2e64824ae39cf6d32efd6effe16c325f406e

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff4015bf4a75a9e063d94faf61a2e3e1_JaffaCakes118.pdf
Size

35KB
MD5

ff4015bf4a75a9e063d94faf61a2e3e1
SHA1

0923e89823ae1238710f5f30e0b777a8fda7ecc6
SHA256

4a19a153544c76c78a29fbc2a8cf2e64824ae39cf6d32efd6effe16c325f406e
SHA512

af92f277fd7d02b2ec9ea91f7e65f6c559b41a0981dccb0305ec9db62a5391a7812da4a4732436d77c0ecfe51ca81b642a79ff4efdc86cdd451ce0f2f11682ca
SSDEEP

768:RxwZRVxAeZsKWKnCuMkMitw6uPnXyWUwfWVN2lVyxW8l9qbJZvcX9Fu:RQRZWCDMkXSlyWuVAlVAl9qbJZvcXm

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
768	1976	WerFault.exe	27

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1976	AcroRd32.exe
1976	AcroRd32.exe
1976	AcroRd32.exe
1976	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 768	1976	AcroRd32.exe	28
PID 1976 wrote to memory of 768	1976	AcroRd32.exe	28
PID 1976 wrote to memory of 768	1976	AcroRd32.exe	28
PID 1976 wrote to memory of 768	1976	AcroRd32.exe	28

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ff4015bf4a75a9e063d94faf61a2e3e1_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 1144
  2⤵
  - Program crash
  PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1976-0-0x0000000003FC0000-0x0000000004036000-memory.dmp

Filesize
472KB

Download