865d3aeb802966bc5e4ae5c03347ea9e2238bc92b5c63204060892a13ab0aa47

General

Target

fff54637ee66d75431fa2fbd1307f97a_JaffaCakes118.pdf
Size

100KB
MD5

fff54637ee66d75431fa2fbd1307f97a
SHA1

99c3a43a4b0e96b8be47fd3d9c45475bd8266435
SHA256

865d3aeb802966bc5e4ae5c03347ea9e2238bc92b5c63204060892a13ab0aa47
SHA512

0bf62005a65dac58308e16548757831dffff22ebc075940537046844bb1277be598944f34dae7716e554a7a29f4b3ab476a277757dca515c98f9323721be1446
SSDEEP

3072:+L0WmdhncVMztcvZ7ZtRGPWNMUSARAyV1eaIP:WGh6Mhc7qdUEaM

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4412 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

4412 AcroRd32.exe
4412 AcroRd32.exe
4412 AcroRd32.exe
4412 AcroRd32.exe

pid	process
4412	AcroRd32.exe

pid	process
4412	AcroRd32.exe
4412	AcroRd32.exe
4412	AcroRd32.exe
4412	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4412 wrote to memory of 3968	4412	AcroRd32.exe	RdrCEF.exe
PID 4412 wrote to memory of 3968	4412	AcroRd32.exe	RdrCEF.exe
PID 4412 wrote to memory of 3968	4412	AcroRd32.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 2248	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 3724	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 3724	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 3724	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 3724	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 3724	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 3724	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 3724	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 3724	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 3724	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 3724	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 3724	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 3724	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 3724	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 3724	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 3724	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 3724	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 3724	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 3724	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 3724	3968	RdrCEF.exe	RdrCEF.exe
PID 3968 wrote to memory of 3724	3968	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\fff54637ee66d75431fa2fbd1307f97a_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C0E82CE82EB7ADBFEE10F86130F79EAC --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2248
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=076BF67821873ACE626AF23BCA5F6FA9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=076BF67821873ACE626AF23BCA5F6FA9 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3724
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6F399CD1134B8B01B87C9A1AB61DED23 --mojo-platform-channel-handle=1816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1472
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AC986CD2E61594C7D64F0E7F8830AAE0 --mojo-platform-channel-handle=2408 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2336
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=95B9FCF96DE538BA8FD38D5735425964 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=95B9FCF96DE538BA8FD38D5735425964 --renderer-client-id=6 --mojo-platform-channel-handle=2444 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2660
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0F9DBD56A62160519B9BA45BC7B19E7A --mojo-platform-channel-handle=2372 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
e6f93e0499d02fd44298be2170e14f07

SHA1
2df20c84266606f00f790f57f5f22e880d0e4474

SHA256
a3cc1125bce29f79a612c2acede9b04fe022871c3558a701fb659cc00daf3e6a

SHA512
c0c7f49ecf0ad1fdd7b2e22c638ceabfa6666f1aa8ae7d5a837c51823f626d1b76728bb7cc84bde64d6dfb19ea768b81ad05e8741ecb06e4d19c60efe1380a64

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
6e5950cb3ef8645a477c3bbb6daf0e8a

SHA1
f93a3567139db543477c4645b647df98facb0b5b

SHA256
5a5f6649a90a3f3fb9309a517673d321b39e31d99895f66edefa006565a05c77

SHA512
a832974b38a8d6b8512a031c6fb12f3acae0c3be15cf86f42e2f9774a75453079e804ce88c60d80fc1d06a809e65813c25601de77f1f19838a557b8e9966745b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads