1acf8a9c5cc19505315fbbc9dc57926731d26e183cdb3f79ec1e0afc8d4d9d8a

General

Target

ffb564ea81256a7aff4947cda7a25290_JaffaCakes118.pdf
Size

44KB
MD5

ffb564ea81256a7aff4947cda7a25290
SHA1

6a991b0216507c249beae10c3b89e9e6baa6c506
SHA256

1acf8a9c5cc19505315fbbc9dc57926731d26e183cdb3f79ec1e0afc8d4d9d8a
SHA512

03486cf25b3397bdfd500912d840d99458dd7f6d454714557f5f5fa29531a0146873ae407e604dd55ad0033fdffd56eeade0ea5fba8c160fd218d11c7590257c
SSDEEP

768:xvLdWJyhbafHNroRL6rx2hl5HFLxV2pmrB2/6lXx6kgAJKa0Dc9n+C:1cQnRL6MFFLxV2wBvpx6kgAxGC

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2628 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

2628 AcroRd32.exe
2628 AcroRd32.exe
2628 AcroRd32.exe
2628 AcroRd32.exe

pid	process
2628	AcroRd32.exe

pid	process
2628	AcroRd32.exe
2628	AcroRd32.exe
2628	AcroRd32.exe
2628	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2628 wrote to memory of 4292	2628	AcroRd32.exe	RdrCEF.exe
PID 2628 wrote to memory of 4292	2628	AcroRd32.exe	RdrCEF.exe
PID 2628 wrote to memory of 4292	2628	AcroRd32.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 1044	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 3856	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 3856	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 3856	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 3856	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 3856	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 3856	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 3856	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 3856	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 3856	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 3856	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 3856	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 3856	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 3856	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 3856	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 3856	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 3856	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 3856	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 3856	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 3856	4292	RdrCEF.exe	RdrCEF.exe
PID 4292 wrote to memory of 3856	4292	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ffb564ea81256a7aff4947cda7a25290_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:4292

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AF0B152D926ABE392A4543EB4EF4A354 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1044

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6121E8FF653A1C33FABD80D3395546C0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6121E8FF653A1C33FABD80D3395546C0 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3856

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A107CA15E4E9979BF044FD11CC87B7B4 --mojo-platform-channel-handle=2280 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1636

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=91733585D5925E676A25DEA79BE6B8D8 --mojo-platform-channel-handle=2388 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2688

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=331BE3D6FA977FA249F8BAC58BC0E1AD --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2724

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D04CE471852B56320B3EC2DFFA4573C1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D04CE471852B56320B3EC2DFFA4573C1 --renderer-client-id=7 --mojo-platform-channel-handle=2336 --allow-no-sandbox-job /prefetch:1
3⤵
PID:5040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
83f3be2c328f78450a14ecd158d474a6

SHA1
b14547fe8e96ab31b97e1ee33306a3e873b0b670

SHA256
27b0a6d6d7d022ccf2928123beb92f76af50871f8eca8d4603e0e0b50be17627

SHA512
b8561e8c0b21dcf9d45d32b4223673f0b1c74cb95522ed5e0fdce2945bd244c4f07c1bc574218b74ebdddab87a63526bdb8d7f5cdf9701edd80f0503152b893c

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
8bec102bd38051b2fa9f6d7513787f03

SHA1
95b55cfdc192ec5ed78bcb4514bc5fed8c640f44

SHA256
5c48e4acfdfcebb4724f83048c656a092683f9581623224ceea9923f19dab481

SHA512
bd4d03ba427348d7cba547334679ff53417374034f0cb024f1f4cd1801923b7c1a2df0616841eadb699983b3c6bb97976b28a7c3a8498679853a6ff05516ac60

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads