7edac73dfe77f24484b223770ea40ef65c10d8c22a6c6efa8dccc543194e5753

General

Target

fff9c3e5f0b73c1b05ee645b26c4829b_JaffaCakes118.pdf
Size

181KB
MD5

fff9c3e5f0b73c1b05ee645b26c4829b
SHA1

181e710978df6422075c983b773ba0f50de0dc81
SHA256

7edac73dfe77f24484b223770ea40ef65c10d8c22a6c6efa8dccc543194e5753
SHA512

322373379825ece5e0298aab97518ec2e81e6036f41b05f4439468372cebafa8877f84fc7a65fda246ec5adbb4b985410b507bb85f067d24915aed70bc9387de
SSDEEP

3072:HKA9JXim7kUwG3G3PYAan75WEtHAC2nUgDqyP2UqkQrxNijV3zSHwF/M:qA9geYawEM4ZNryUt

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3704 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

3704 AcroRd32.exe
3704 AcroRd32.exe
3704 AcroRd32.exe
3704 AcroRd32.exe

pid	process
3704	AcroRd32.exe

pid	process
3704	AcroRd32.exe
3704	AcroRd32.exe
3704	AcroRd32.exe
3704	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3704 wrote to memory of 1092	3704	AcroRd32.exe	RdrCEF.exe
PID 3704 wrote to memory of 1092	3704	AcroRd32.exe	RdrCEF.exe
PID 3704 wrote to memory of 1092	3704	AcroRd32.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1368	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1864	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1864	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1864	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1864	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1864	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1864	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1864	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1864	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1864	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1864	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1864	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1864	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1864	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1864	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1864	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1864	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1864	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1864	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1864	1092	RdrCEF.exe	RdrCEF.exe
PID 1092 wrote to memory of 1864	1092	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\fff9c3e5f0b73c1b05ee645b26c4829b_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3704

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=247188B5EB84712B872BD39A515F4B62 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1368

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=07F98B94C18D8798487E94500A441074 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=07F98B94C18D8798487E94500A441074 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1864

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0E5AC5781CBEF853B9347533793DA133 --mojo-platform-channel-handle=2184 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3568

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E666B3130FEC34A23021B6A0C9BC0F16 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E666B3130FEC34A23021B6A0C9BC0F16 --renderer-client-id=5 --mojo-platform-channel-handle=1892 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2792

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E1625C19E50CE4F723FE7EF214AE04BB --mojo-platform-channel-handle=2712 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1600

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4449B28FEC0102CB4B1E100E1252A668 --mojo-platform-channel-handle=2856 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
3e5b5a03cb3b807fae289c91fc20501a

SHA1
ef97579a1f3ccde824769ff36363033b1ac8f8a8

SHA256
c84ba3393f851604fa8c9c22e93d969d011e07494b3e445682e9cbaeaa571bc3

SHA512
cabc97a340e1057ae8b67ec36a87e553bf4c185e6d272b3ff3daf43572af6c199e24e76bcdd90249b0f1a03a19c74f2a6a973d51856bcde8a4abed9d8534f0a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
df30240dd17bef881988c4824005e4b3

SHA1
361d640e71cd6e63d81fa1a31bf1eafe8e4fb6f8

SHA256
38d32e51900186a8a5230029d60340eb0b49329200f83491682435114add5973

SHA512
29adb052913eeb92f2371c6b68396247f0bfce18ac2f103bc9c7bae6ab2651c41c33fc815035e8977747fe04f88c910c8f640a4e26d769ca324ae14bd41ceafe

Download Submit
memory/3704-30-0x0000000013D30000-0x0000000013D51000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads