e143eb76032ef31cfb8e5ae8d01fa578dc2ad049a4992cb0546ca8fc720d0520

General

Target

00727aba6addddfa9f7e1e6e6fecd810_JaffaCakes118.pdf
Size

36KB
MD5

00727aba6addddfa9f7e1e6e6fecd810
SHA1

dba11cab3bddf1ffbd27527643904bdecc681b7f
SHA256

e143eb76032ef31cfb8e5ae8d01fa578dc2ad049a4992cb0546ca8fc720d0520
SHA512

4b5921bef0db5a8d3b9071a8644f5433137e9fff919ef8bd16ed9762986783cbb1cf9411400c59ece77e62da47fa198ebd75d3a304610a6769cff36beaf9754b
SSDEEP

768:wgGzpD5pFBh4edW1AAyq/ByJmYUUua9+Mt0HmeVg85rhRz8E/rZ:dGF1pkAAyq/ByJmzU3+NHmYJ5rhRoE/F

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

400 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

400 AcroRd32.exe
400 AcroRd32.exe
400 AcroRd32.exe
400 AcroRd32.exe

pid	process
400	AcroRd32.exe

pid	process
400	AcroRd32.exe
400	AcroRd32.exe
400	AcroRd32.exe
400	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 400 wrote to memory of 1796	400	AcroRd32.exe	RdrCEF.exe
PID 400 wrote to memory of 1796	400	AcroRd32.exe	RdrCEF.exe
PID 400 wrote to memory of 1796	400	AcroRd32.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 4048	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 1716	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 1716	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 1716	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 1716	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 1716	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 1716	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 1716	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 1716	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 1716	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 1716	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 1716	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 1716	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 1716	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 1716	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 1716	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 1716	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 1716	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 1716	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 1716	1796	RdrCEF.exe	RdrCEF.exe
PID 1796 wrote to memory of 1716	1796	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\00727aba6addddfa9f7e1e6e6fecd810_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:400

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=20A6AE32B9818FED9F3C94261CFB634B --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4048

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C19FDA3E6B141EB259D66F739804C6F6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C19FDA3E6B141EB259D66F739804C6F6 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1716

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=741F047037FFD4D574EB90445C0B3E44 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:628

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B65B33643083DD7CA85C76A85474CC1A --mojo-platform-channel-handle=1908 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2128

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=422F4C26CE41A2A632F8E3476749A008 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=422F4C26CE41A2A632F8E3476749A008 --renderer-client-id=6 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3164

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=06BF862C19C04713E72017DB2F4DAA10 --mojo-platform-channel-handle=2796 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
4c0d41006c139da95f9e1c6bdf84bc4a

SHA1
c513834efb786e4be6046baf7c087a003cf052f2

SHA256
0c8bee2a10b8ac742252bc1e6068265ebaa94b183307baa77b890418c8c37071

SHA512
e30efa421c6404ad51ce2eeb655c164a490659b59bccda5f75e642ff78ed8d03ed4bf4f44d9d629c53054775343668be0f7ecbf411ee513f9aec28793ba0f016

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
3a303189cd2697009dae8d4bdb5784e0

SHA1
904eaf49431c2ed7a0107237298cbfffd588dbfd

SHA256
fae13c6523223bd12ec0b7f93c9abd6a53bf63416a8dc6d949ad804df2579137

SHA512
afd1b055a39a66729cbfb806cadbc23202b268fdc15401b05693d33496a1591580848e4d97ec906ce5b608366dd0a1a8641cb88a690c0b3eaefaf431079244b2

Download Submit
memory/400-29-0x0000000009B50000-0x0000000009BA0000-memory.dmp

Filesize
320KB

Download
memory/400-30-0x0000000009B50000-0x0000000009B71000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads