4970ff4e42a64f4c1b180db514ba3703ed18676ad1554e02ce0a5c24bd5fa51c

General

Target

ffaed46b1b54bf81e5adfd5967bcf7e4_JaffaCakes118.pdf
Size

43KB
MD5

ffaed46b1b54bf81e5adfd5967bcf7e4
SHA1

7f96a9bcf0fb185c608001b1fd9bfb95c19d07a6
SHA256

4970ff4e42a64f4c1b180db514ba3703ed18676ad1554e02ce0a5c24bd5fa51c
SHA512

5f974ccb7ec8b980ec6fb686b4c7df71be60176c97bc0f9fa99740c7522a3710392143b206d2865feec5964a8101bc0dd52f66c19a7ddd3d4f3fd3eab7208149
SSDEEP

768:fzhnxv0eFEDPcNzqmkxngc3HYpZD6DgXqQaQv7dXo4SV:b1KeFEIcmkdgcu2DgXfaK2HV

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2064 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

2064 AcroRd32.exe
2064 AcroRd32.exe
2064 AcroRd32.exe
2064 AcroRd32.exe

pid	process
2064	AcroRd32.exe

pid	process
2064	AcroRd32.exe
2064	AcroRd32.exe
2064	AcroRd32.exe
2064	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2064 wrote to memory of 724	2064	AcroRd32.exe	RdrCEF.exe
PID 2064 wrote to memory of 724	2064	AcroRd32.exe	RdrCEF.exe
PID 2064 wrote to memory of 724	2064	AcroRd32.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1968	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1568	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1568	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1568	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1568	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1568	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1568	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1568	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1568	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1568	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1568	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1568	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1568	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1568	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1568	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1568	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1568	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1568	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1568	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1568	724	RdrCEF.exe	RdrCEF.exe
PID 724 wrote to memory of 1568	724	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ffaed46b1b54bf81e5adfd5967bcf7e4_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:724

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3012905467517E90ACA5A71A163DEC40 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1968

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EDB5E1D5B7D8E4AB2720F836E4B98251 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EDB5E1D5B7D8E4AB2720F836E4B98251 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1568

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D833B24570174633121A171F887A3A05 --mojo-platform-channel-handle=2188 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4224

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=28CAEE7000F0960C9F78488E71967AE0 --mojo-platform-channel-handle=1920 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2924

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=886B90C3FA2335487DE70BE972263CCE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=886B90C3FA2335487DE70BE972263CCE --renderer-client-id=6 --mojo-platform-channel-handle=2016 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4492

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D13E17ABAB9D09356906207A7F2F2884 --mojo-platform-channel-handle=2676 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
73cdee75be8d91cac23045de8d5a44b2

SHA1
0cee76345fe359dcf56981d2add0d9865501c1f0

SHA256
cade061b246996b54739dbee75844c57c99b9606cd1933f90d82a4ecbbe40e30

SHA512
1fb19f88f7ef79fa94c0b85c67b8883dd59abf9762e4b9e0e6d3590edcca0d58395b314edfa209dc88c65726881f2d465fab4776c7dce32cd0f236b1da3a56bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
851208f4b067a1b8f0faeead1b489acf

SHA1
008dd2c2bbaae9bea904ea30303a3435a4536c63

SHA256
5d10074a0c42c2c01480fe141092d4cec1e8a6cd9b86636afef97a888167ec0d

SHA512
dd5091f4c78ded3b505bacec579bda93f879b0c6fdfc9a64aad79feb08286960d0fa1b895e7a2da1e76ac7302b2207550dd774bb135d17e8af24a2732dce276f

Download Submit
memory/2064-28-0x000000000A470000-0x000000000A4C0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads