57c364a61178cc13bff37b27353419dc28ddcaedbdca89bd476a2b2cd2d4d9e9

General

Target

ffd2072789f9cc3971cf3fbda72aec8f_JaffaCakes118.pdf
Size

79KB
MD5

ffd2072789f9cc3971cf3fbda72aec8f
SHA1

67aaabd41d5675a4024bc4fd542602934673a630
SHA256

57c364a61178cc13bff37b27353419dc28ddcaedbdca89bd476a2b2cd2d4d9e9
SHA512

b315dc8485b32ae0946c8f642c25f15eeb9a8a6333f6ef390c3991100d69176eb1adbb8bc14593b10f6aa0f56838be8cdac26930abac8a5716979398f13975ef
SSDEEP

1536:JKZSODJAWEb1Ht1rKR6zkg0aC28PBAcLJquabBnZvWApO6eWmV6Kt7zlAnYacss:Sj2WEtKR6z5BC28PBA+Jqu2ZO6o627zn

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

968 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

968 AcroRd32.exe
968 AcroRd32.exe
968 AcroRd32.exe
968 AcroRd32.exe

pid	process
968	AcroRd32.exe

pid	process
968	AcroRd32.exe
968	AcroRd32.exe
968	AcroRd32.exe
968	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 968 wrote to memory of 4128	968	AcroRd32.exe	RdrCEF.exe
PID 968 wrote to memory of 4128	968	AcroRd32.exe	RdrCEF.exe
PID 968 wrote to memory of 4128	968	AcroRd32.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 2856	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 3440	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 3440	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 3440	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 3440	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 3440	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 3440	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 3440	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 3440	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 3440	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 3440	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 3440	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 3440	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 3440	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 3440	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 3440	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 3440	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 3440	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 3440	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 3440	4128	RdrCEF.exe	RdrCEF.exe
PID 4128 wrote to memory of 3440	4128	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ffd2072789f9cc3971cf3fbda72aec8f_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:968

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:4128

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B6587A82ED8F14C6C1090FD91FE1CA0C --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2856

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=ADF59B7DCD2AB67A5EF2B71EC17AACDD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=ADF59B7DCD2AB67A5EF2B71EC17AACDD --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3440

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B7EAC48390222F69F4E2715DB970A30F --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4444

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FCC3A2512AADA7A09DD52031093A5999 --mojo-platform-channel-handle=2444 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4816

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1E4B3353626D606776D598456EA4492F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1E4B3353626D606776D598456EA4492F --renderer-client-id=6 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
3⤵
PID:5060

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=71C91DD833F7B9AD8714E5709871FB14 --mojo-platform-channel-handle=2676 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4872

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
7c1bd08a89c2608537f4e31a5c8cb093

SHA1
3ac814f49f7f13a9a49f02712d9cb296d36def88

SHA256
2e27b983b890382df5344e5664ce841235744599b441a143bc576bb45cecf1db

SHA512
1cb3ab96d9647fe9b8d519d417d69f0f08bd3b1d546a2de0ee477ba033ded2454648815fc4bf08764c40c7ce8eb816d025c9a457ca511ba446f01e3e3e3b004a

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
bb37284860a8e94a1f359f75106a1232

SHA1
5f7b94ec5a4202c7d24a0f512f14737190fd06e6

SHA256
8b52e057f598caec72717f42c8d61b2f2a28e052d064090ce8be6fec414fb6bd

SHA512
32cb6fb413c0bfab334a36552006a74f4a1039dfbbfc31a69606f4716813ad16613fc5f36b057613798848f7c186e509a81e87c3d04302b8319d78675c7b923a

Download Submit
memory/968-29-0x0000000009820000-0x0000000009841000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads