e1271b25d137bb38422d3037bd172084c3e9539c42e51c9cde1406e86bfeacaa

General

Target

fffc80e7d110844cf3a2511bc64ca147_JaffaCakes118.pdf
Size

81KB
MD5

fffc80e7d110844cf3a2511bc64ca147
SHA1

73a6db774646b2391d2c7c5592dac08edd1537b5
SHA256

e1271b25d137bb38422d3037bd172084c3e9539c42e51c9cde1406e86bfeacaa
SHA512

e1ff7c453b6b96dc98a176c632a5b1f4f2bac8dfbae79e6ed32430a3ee4fe353466b16c3a778c2e9747bf2c7f366d44b733184b3fc458a93fca2445fe4786840
SSDEEP

1536:jnwyObWdF4cm0urGAaPqVRzlue/RCFeDKRCzxMgaWyxSkHmeE/WspOLQca1K8SS:b3ETc5urePqDQFwKRQxMgIxDHbEmLQcI

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

6056 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

6056 AcroRd32.exe
6056 AcroRd32.exe
6056 AcroRd32.exe
6056 AcroRd32.exe

pid	process
6056	AcroRd32.exe

pid	process
6056	AcroRd32.exe
6056	AcroRd32.exe
6056	AcroRd32.exe
6056	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 6056 wrote to memory of 4664	6056	AcroRd32.exe	RdrCEF.exe
PID 6056 wrote to memory of 4664	6056	AcroRd32.exe	RdrCEF.exe
PID 6056 wrote to memory of 4664	6056	AcroRd32.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 5356	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 1580	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 1580	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 1580	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 1580	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 1580	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 1580	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 1580	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 1580	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 1580	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 1580	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 1580	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 1580	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 1580	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 1580	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 1580	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 1580	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 1580	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 1580	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 1580	4664	RdrCEF.exe	RdrCEF.exe
PID 4664 wrote to memory of 1580	4664	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\fffc80e7d110844cf3a2511bc64ca147_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6056
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F4A1FA3E60E0BAD1624B1C0E37AFF624 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5356
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B215AA0243A43B059ADA88A188212171 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B215AA0243A43B059ADA88A188212171 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1580
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C942F29B25AA0A9ED8A8487009A5D116 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5632
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8D08E906BB0368AB5D7F8BBD5F155979 --mojo-platform-channel-handle=1960 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:468
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=ECEC8460D6AA632E5B5AB1FD6D1DB243 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=ECEC8460D6AA632E5B5AB1FD6D1DB243 --renderer-client-id=6 --mojo-platform-channel-handle=2444 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3680
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4AC2F548897641213548BDF358EFF36C --mojo-platform-channel-handle=2548 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
aa99a626084376c760dcfe960ac88a58

SHA1
d35bcd6cfd922116cdcc0f97126f6806e36a4900

SHA256
e0d385083731c20e8045cd22f72d90d78cbbc53b0bad46f726c259dcac1484c7

SHA512
13a82630c63926f783d08dd633e96baa08cf12f2a277d65b7d1b4967b4a3f37e5dcca53968bb50e42bc3ccf79eea5485747762ee8e3b8432584fe0dc50d3014b

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
fc838a1dbe3af537fe1a1603553695b6

SHA1
89028000407c6cce597f45e6cdc71d7abf12e621

SHA256
fe6b217815676a574e45918734e9fe13290fef2fd806d38de98b6a02cdae725f

SHA512
3617e8779b76ec18f225b01a046a0cac3aed3ba3e9a5b914d10c7abb5bd4d0db1d89c56c0939b0fa9bd44447a9ab80fb8a285347b82a8aae378b6d9aaf77cd16

Download Submit
memory/6056-30-0x000000000BFC0000-0x000000000BFE1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads