bc6dc4fbb7071bcea3e28380df4838a98f5c7833690022ec95c367c9d28ce95f

General

Target

ffcc6c0cf427af07a21872c1297bc5f8_JaffaCakes118.pdf
Size

67KB
MD5

ffcc6c0cf427af07a21872c1297bc5f8
SHA1

b3c3bb2df751bc41f644cf9a3f4a05c771182080
SHA256

bc6dc4fbb7071bcea3e28380df4838a98f5c7833690022ec95c367c9d28ce95f
SHA512

e9f9a369e41ae341605ee376b070bfcbf6c5d476ee1215a7b2e8aa296aa7693f82fc18c9fc00185c9ecc18c2981ddd8d7311b22b221a43f3496a2ec8fca5ef69
SSDEEP

1536:EnjIW7qi2nfNUvIr/0vJhmJ4I7l5SkhNaXoNzv9DmR9ARlDN7zMSf2DLJC:4IWeNUvI0vLS97VCXGZGAZHzfOo

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4528 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

4528 AcroRd32.exe
4528 AcroRd32.exe
4528 AcroRd32.exe
4528 AcroRd32.exe

pid	process
4528	AcroRd32.exe

pid	process
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe
4528	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4528 wrote to memory of 2148	4528	AcroRd32.exe	RdrCEF.exe
PID 4528 wrote to memory of 2148	4528	AcroRd32.exe	RdrCEF.exe
PID 4528 wrote to memory of 2148	4528	AcroRd32.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 2676	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 1080	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 1080	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 1080	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 1080	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 1080	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 1080	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 1080	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 1080	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 1080	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 1080	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 1080	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 1080	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 1080	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 1080	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 1080	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 1080	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 1080	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 1080	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 1080	2148	RdrCEF.exe	RdrCEF.exe
PID 2148 wrote to memory of 1080	2148	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ffcc6c0cf427af07a21872c1297bc5f8_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4528

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1964E96C41AD8157B10A30D2230E1728 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2676

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A35D80D73ACC046C3D7313129ECBA98D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A35D80D73ACC046C3D7313129ECBA98D --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1080

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6491A83DC471FB07FDB221B8A647B56A --mojo-platform-channel-handle=2184 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:816

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9184E15A59CB2EC55ED5561C1BA803B4 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:5044

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=63A73F5B72A276BB20F04EAA611D8E0C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=63A73F5B72A276BB20F04EAA611D8E0C --renderer-client-id=6 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:1
3⤵
PID:440

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1AE6B4E84515C70595A038378DC7A4C1 --mojo-platform-channel-handle=2668 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1280

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
6ee3ec0447c637872b38a7d90e2b0868

SHA1
0ade2c8f0c210cbafe57813c096a0bca5a769181

SHA256
7a0f25116c19ead7acf50a8f71cd86769040ee6572088940d0ab7bbdb41493eb

SHA512
cb7624069fa5574c2f2c5c359c59ac7a61e1574fbec7cc8dfad92256c65169091ffafb21cc28dbc816442e7b2ef8509843a077bf05d1f32dd61d367ccd03b319

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
bef39b4d4e59857c2cbabc6248a3ece7

SHA1
281f707f9fb856848cc0ef761bcc670bd15a9451

SHA256
5bd831497b5b9bc18a22146e0907a080aee93a18db9a87958d44ef49eb35bd03

SHA512
22a8a3fd67da40ad4e23b374a176d3ed6557282eecc4ddf317c28aead03a333c0bdfd4fa6adef9503d1d59c12cd60b84f1d7c59cc7702e3c22c155f126da19a7

Download Submit
memory/4528-29-0x000000000A490000-0x000000000A4E0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads