4b6a83aec6eebbb01913fb560db6a5bb93c46ab12d16ddee2bb50b9b6adf6dcc

General

Target

ffd07847cb0dc8702c4578608c4179d6_JaffaCakes118.pdf
Size

106KB
MD5

ffd07847cb0dc8702c4578608c4179d6
SHA1

a28c2414a36bd3fe613a599ea2dac9d6b473dd48
SHA256

4b6a83aec6eebbb01913fb560db6a5bb93c46ab12d16ddee2bb50b9b6adf6dcc
SHA512

798811264ff3066e22f92f8f3bdb7032e0fa961222b6e58371e141acf6586b0955c6ac1458059bcedf92392aea40333d07c3627ee8f25718720eb7b1d3c5f4b5
SSDEEP

3072:qMu3U7ZLJ+kIQEkQ4em9Xt5aY7cVOJKwfs9ReOUrZ:M3pkIQP139XF7cKORu

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3796 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

3796 AcroRd32.exe
3796 AcroRd32.exe
3796 AcroRd32.exe
3796 AcroRd32.exe

pid	process
3796	AcroRd32.exe

pid	process
3796	AcroRd32.exe
3796	AcroRd32.exe
3796	AcroRd32.exe
3796	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3796 wrote to memory of 516	3796	AcroRd32.exe	RdrCEF.exe
PID 3796 wrote to memory of 516	3796	AcroRd32.exe	RdrCEF.exe
PID 3796 wrote to memory of 516	3796	AcroRd32.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1608	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1660	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1660	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1660	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1660	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1660	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1660	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1660	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1660	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1660	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1660	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1660	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1660	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1660	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1660	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1660	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1660	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1660	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1660	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1660	516	RdrCEF.exe	RdrCEF.exe
PID 516 wrote to memory of 1660	516	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ffd07847cb0dc8702c4578608c4179d6_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3796

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:516

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=34D3A578DE09AA679FBD4E31F90B276F --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1608

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E5E21428E78778E41BA7E013C62431F8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E5E21428E78778E41BA7E013C62431F8 --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1660

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=802EF779BAB562CCC20AC09440D0D219 --mojo-platform-channel-handle=2156 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4876

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0DDAE5450D81D8F9DB4D0A17E7A99260 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0DDAE5450D81D8F9DB4D0A17E7A99260 --renderer-client-id=5 --mojo-platform-channel-handle=2144 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4668

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5A6B4E6ACF52C25CCD4C727122293BC2 --mojo-platform-channel-handle=2548 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2752

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4D2643B5BA08D9E936F71F841ABB6DC6 --mojo-platform-channel-handle=2152 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2736

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
dd89ea4fd5bf429bc0d169b55656b281

SHA1
b220d0ac3e93ab3845148749503fccbb6b1598a3

SHA256
702346af3275b06ba19178eed9e90a43acefe0181df284a2ebf547c867f7d18a

SHA512
b93ab0cd1cf042912ada1917634b12b568d838abeacdb7a9f2ee28b6fd899d681ff6a5cff63e403e09ab3b0ae45b73d972284021414df64a48e4d2b867fc1262

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
3874943c5951cd483a071e8c540e2648

SHA1
5157d4babcec4b4f6663d80f6cdae171cd6acda4

SHA256
3ce6d35f024bb39cda3a0b5a626ecb002ae6401285aa9deda5781b4171e82619

SHA512
3c1dfcc7186c1a72c81114e3485f9f9f56dba6928cc09062b3093018d47815d2834db29e4b3a4d574605180b382d2846c190aa0d1eab1147e4e75d2bf41f96a4

Download Submit
memory/3796-30-0x000000000DB20000-0x000000000DB41000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads