0efc2bb3e3b9c0216d27f7f75356ad212ba785564bee5cc322e181b66ba53bad

General

Target

004acd7ed74074d6d036b063a6428e09_JaffaCakes118.pdf
Size

39KB
MD5

004acd7ed74074d6d036b063a6428e09
SHA1

92f9ea42493ab0e5031a440880fbfd78954a861a
SHA256

0efc2bb3e3b9c0216d27f7f75356ad212ba785564bee5cc322e181b66ba53bad
SHA512

e7912caa42dd478bf5837c3938917b30d8b299e53db39686af8b2932deb6199c1da12f5b9c0d10804cfd7d7018401ccb469134ee2c0a42d6a793721f5855d084
SSDEEP

768:bLXuMZmwgCLWar7b2E5HpxHwi53cfgNYEEuMdUfAF17K4GAxzZ6/8wQ0e0iT180H:bLXFZmGWS/jHwi53cfgNYEEuMdUfAF1x

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3796 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

3796 AcroRd32.exe
3796 AcroRd32.exe
3796 AcroRd32.exe
3796 AcroRd32.exe

pid	process
3796	AcroRd32.exe

pid	process
3796	AcroRd32.exe
3796	AcroRd32.exe
3796	AcroRd32.exe
3796	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3796 wrote to memory of 2772	3796	AcroRd32.exe	RdrCEF.exe
PID 3796 wrote to memory of 2772	3796	AcroRd32.exe	RdrCEF.exe
PID 3796 wrote to memory of 2772	3796	AcroRd32.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 3248	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 2448	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 2448	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 2448	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 2448	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 2448	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 2448	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 2448	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 2448	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 2448	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 2448	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 2448	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 2448	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 2448	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 2448	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 2448	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 2448	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 2448	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 2448	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 2448	2772	RdrCEF.exe	RdrCEF.exe
PID 2772 wrote to memory of 2448	2772	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\004acd7ed74074d6d036b063a6428e09_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3796

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:2772

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=776621B9069029C936CCB89AFBD56698 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3248

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BA88B76EA0043AC21E65E2608107882B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BA88B76EA0043AC21E65E2608107882B --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2448

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6F46CD9CE691AFC1D93F2756B9C8D5E5 --mojo-platform-channel-handle=2184 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3776

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C97CBCBB1DC8395ACC7875D744920148 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2680

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0D90E07D67041030FA0DF764524CF877 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0D90E07D67041030FA0DF764524CF877 --renderer-client-id=6 --mojo-platform-channel-handle=2224 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4000

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8BC8A98FD9B1ED956CB47871D0F8B059 --mojo-platform-channel-handle=2188 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
7c05465f61b06ffad049766f08ccdd12

SHA1
a89469af44f224021be36efb68ec478bddebfc94

SHA256
d8bd5cc9c770374f680f75e809194bccb4544620bdc0b78054cd8909039002df

SHA512
083ee7a79350189aa65ff47b77d850fab00e1c3e5bfbcf4c91f8350e59e655b6b85810a8d90989e977b768339bd1fb869798b178182071224c134787eec0a563

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
8ef9f4d3257518ed692fcb8def5060c4

SHA1
4ac01919d3f0f300ab372bd8036842562abcb7a9

SHA256
b47963cfbb6d068c169c6f2c0c1375a290d8dec19822b8b28fc6cdc1063ad566

SHA512
998f537316d3932cc3a6d2b0760fdc0e008d8f800abff8ef3e3c568a16d1a38814c59213ec3cd6e5e428b9e10b7a41274c3b8e7a50fd0cdf8dbe66a0d22ca712

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads