bfc667e71ef1d10c80601823d40dd210b156bd013d6dba6e431c16d5ea3ab0c7

General

Target

fffb12244c198b92596a4d0f2fa2500a_JaffaCakes118.pdf
Size

86KB
MD5

fffb12244c198b92596a4d0f2fa2500a
SHA1

7ca9eb3e13b7767c7376db28e15ff5db09a56d3b
SHA256

bfc667e71ef1d10c80601823d40dd210b156bd013d6dba6e431c16d5ea3ab0c7
SHA512

10036eae992a842bd9949f0f3ae639f29e593aea1d48b78b2d855491d6a094d31929279e4980b83b98708c337c91a3fa543095b732e868db6e257e289061e2fe
SSDEEP

1536:l+eluJoyPNiRIuQ7YkaWX6gOfLRXY5GP7JKiYEbwkRuWoEwwsQ3+yg2IW8pO7CdP:sSyNiBQ7YkaWXqNoCJgMdudwsGK2z7I

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2076 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

2076 AcroRd32.exe
2076 AcroRd32.exe
2076 AcroRd32.exe
2076 AcroRd32.exe

pid	process
2076	AcroRd32.exe

pid	process
2076	AcroRd32.exe
2076	AcroRd32.exe
2076	AcroRd32.exe
2076	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2076 wrote to memory of 2184	2076	AcroRd32.exe	RdrCEF.exe
PID 2076 wrote to memory of 2184	2076	AcroRd32.exe	RdrCEF.exe
PID 2076 wrote to memory of 2184	2076	AcroRd32.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 116	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 1884	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 1884	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 1884	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 1884	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 1884	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 1884	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 1884	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 1884	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 1884	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 1884	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 1884	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 1884	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 1884	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 1884	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 1884	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 1884	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 1884	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 1884	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 1884	2184	RdrCEF.exe	RdrCEF.exe
PID 2184 wrote to memory of 1884	2184	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\fffb12244c198b92596a4d0f2fa2500a_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A083C932151E9F63D1338D4BDF4F8AA6 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:116
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=84A18D732BF0FBC66A52B5156E0095B3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=84A18D732BF0FBC66A52B5156E0095B3 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1884
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E3B109B0FD544965FC85B5BB8AB32E0C --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1684
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=40899939BCA15BCCD1F730E075BFEF61 --mojo-platform-channel-handle=1960 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4212
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DD871294ED05DCB8330F8303F5DADA76 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DD871294ED05DCB8330F8303F5DADA76 --renderer-client-id=6 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4700
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2DEC3917A3DFA5809A390613B8B3BF48 --mojo-platform-channel-handle=2704 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
4cda28628c94a1d2401054683edd5725

SHA1
9de5121798b19678fdd917d2a25e0470091a8760

SHA256
bc62b56f0070f057b33f069a0f3867edf5b26f9cbc5abee46ab948fd482bdd34

SHA512
566b65419378f4c88ee67d0b25be40ba1ca6cbd012e298dbd6de48e5e5043d944a223d22924d59f935beef61ef936669dc7f77a94bc8364c009097f479a626d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
e34f16aeb67ea4a96a913facb51abed2

SHA1
7703bf08221257dbdbdba97abca1a54f90d0c03f

SHA256
9c5437ca1ffbb9a4ba8d9ceb4bbc47e9393ec28c441a845470ece586d847317c

SHA512
dd2f9239c62bdb668900f7a7cb09e8e864f97c290f6f3de3dbb20e40dfd9f487a23e0e3d4e541427c1d68b3f57a7051db889ff35325f56b5ce5020597d8f3527

Download Submit
memory/2076-30-0x000000000BF40000-0x000000000BF61000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads