050a5a53a8b0421488980ba7ef6e04b8ab921e2d67e538df2054641830fc4bcd

General

Target

ff9d346778323901fcdfcc2ac7cbb29b_JaffaCakes118.pdf
Size

34KB
MD5

ff9d346778323901fcdfcc2ac7cbb29b
SHA1

06d2261f1a3892cdfafeb20cb98b0e18e7fbba44
SHA256

050a5a53a8b0421488980ba7ef6e04b8ab921e2d67e538df2054641830fc4bcd
SHA512

0deedcfd1c57e562950241e093338d0896c86fa895fcaf46d83f4b7be297743a687f2318e6ce2788562c18bffc1cf2237e87f5a4ab7170e3001282e9df13d5dc
SSDEEP

768:yNtvx0DFLJp9lOsQ5emEK/e4HHGPbOAbbUYDPK:mx01JpniemT/e4nuRbbPK

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4644 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

4644 AcroRd32.exe
4644 AcroRd32.exe
4644 AcroRd32.exe
4644 AcroRd32.exe

pid	process
4644	AcroRd32.exe

pid	process
4644	AcroRd32.exe
4644	AcroRd32.exe
4644	AcroRd32.exe
4644	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4644 wrote to memory of 3832	4644	AcroRd32.exe	RdrCEF.exe
PID 4644 wrote to memory of 3832	4644	AcroRd32.exe	RdrCEF.exe
PID 4644 wrote to memory of 3832	4644	AcroRd32.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 1980	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 3804	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 3804	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 3804	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 3804	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 3804	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 3804	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 3804	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 3804	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 3804	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 3804	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 3804	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 3804	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 3804	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 3804	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 3804	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 3804	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 3804	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 3804	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 3804	3832	RdrCEF.exe	RdrCEF.exe
PID 3832 wrote to memory of 3804	3832	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ff9d346778323901fcdfcc2ac7cbb29b_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4644

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:3832

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=720DEF85AC2052EC06EA5B1ECB11B1D9 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1980

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=991EDF88786BA894954E2ED71547272F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=991EDF88786BA894954E2ED71547272F --renderer-client-id=2 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3804

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=05223A353F21C5F981CB11D145F97D7E --mojo-platform-channel-handle=2172 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4144

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D428027FAD65B811DB7643DC0C19C030 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3356

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7B6A9618E6DBFB8A26478BD0AC719AF6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7B6A9618E6DBFB8A26478BD0AC719AF6 --renderer-client-id=6 --mojo-platform-channel-handle=2432 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1288

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6560C4690317E2CDB1534D4C4739A6B8 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
fc3274d8aa14c332f24dd76f98e1b5c9

SHA1
7e9450d8d2e64c63cd7c055dd996aefc7d90b3c1

SHA256
1a833d590b3a81438d05e7f5cf8552aef2471a6e263a5b9350e03c471e0c8c0f

SHA512
c04dc19f7935409bec7def2813521e1af522c2c2948c84c3ce6abd5a6276e3e461fd1fa58b8f50248131ebe054130f502f1389ddf8c548322f9013480688ba89

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
7df49d75c5bdb9e634ef7caaf4158ca2

SHA1
e508a38607608d0b90f2d406a574b427f86f4e77

SHA256
4f29909c48a4b54873b7dc0e11f4a49918814bb35ae83db3ae92f842525b7ba9

SHA512
8177ea67b5f1df4a3c83909105b266371b3b01b509a9df852c1d25fb96a1e917550300f70cb1cc710f0f005ffeb4ebae7b076c347626daef173691fb175da047

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads