596e728de1a566ab790652bb904a96db632f3c73a18bc3974b47ff0a208e097d

General

Target

ffca59cc07c94bef05e20201bb43f443_JaffaCakes118.pdf
Size

79KB
MD5

ffca59cc07c94bef05e20201bb43f443
SHA1

e7dc309d7d145cbdbf9d0772f97d6469c08cd927
SHA256

596e728de1a566ab790652bb904a96db632f3c73a18bc3974b47ff0a208e097d
SHA512

622ea93f71444989eaeecb854f27598159c791374dc5a2d941d13d7e3bf8b1a9ea7893742bb09ed0ddb76002feb01f2b2b6db92c7614b5f9555add0ca8a4e80d
SSDEEP

1536:MDqW+/P1e2vFMMS+UtBbJ58kUG36ynXD2csyPKrwWORe8qV0nkq9OW6pOu2uxNFn:SqhP1e2vFMv+Utmk4yXDFPKr6rqELu2k

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1916 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1916 AcroRd32.exe
1916 AcroRd32.exe
1916 AcroRd32.exe
1916 AcroRd32.exe

pid	process
1916	AcroRd32.exe

pid	process
1916	AcroRd32.exe
1916	AcroRd32.exe
1916	AcroRd32.exe
1916	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 1916 wrote to memory of 2788	1916	AcroRd32.exe	RdrCEF.exe
PID 1916 wrote to memory of 2788	1916	AcroRd32.exe	RdrCEF.exe
PID 1916 wrote to memory of 2788	1916	AcroRd32.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 1812	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 3856	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 3856	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 3856	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 3856	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 3856	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 3856	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 3856	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 3856	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 3856	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 3856	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 3856	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 3856	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 3856	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 3856	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 3856	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 3856	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 3856	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 3856	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 3856	2788	RdrCEF.exe	RdrCEF.exe
PID 2788 wrote to memory of 3856	2788	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ffca59cc07c94bef05e20201bb43f443_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:2788

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D58E5EE2184529D508AD50C6157FA45A --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1812

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=76ADB05C9016F5DB28688D9AEA20F9FD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=76ADB05C9016F5DB28688D9AEA20F9FD --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3856

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=014D8F9EE8F8E37B1DA46A936962AD9E --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4356

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4A336AA25AFF65FECC449FEDC7E4D814 --mojo-platform-channel-handle=1960 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3368

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4DD8C61F11D0CBC124D05C6B68CFB37D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4DD8C61F11D0CBC124D05C6B68CFB37D --renderer-client-id=6 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:1
3⤵
PID:5064

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5238462B16B21614DE69AD0FCB220405 --mojo-platform-channel-handle=2732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
e2438b08131058ec75dbd27e76c7c0b4

SHA1
9539b7c7ac1d91edd3c914cdc8eed7964acad241

SHA256
4dd78d5647ae9999ca07670198423890e49fce3388755f8438f08e7f4c2c306d

SHA512
0f74540b654d48ef3bcf35f77d2e1786e53765c694e3fead034ab84abd0c2e017d7ae3b8f8efb3f1b909dc882f72db1c4d5ddbe1064c4ba7d2d48c90ccf20324

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
c7ba56f052fa45659cb8ef2c9af5ef63

SHA1
f8d0bfe7134b1a5b7c2804b79c2c623420ab3657

SHA256
27362c880bf0d894d9d7d8cb343faf4c3c5fcf91c1e5ab726cfde1a05ab948d8

SHA512
8a0d2a719c65f162e3f9a60c21260c7ad851f274f04759f476a7ffd1d17d256bfba9008f873566c5e52d132e001e41e9a40c4200b905fbc3b7191af207e29f0c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads