534f411a7270f63ef937cc8c4b95ebed9b17bc8f07b86fa9a67190213849a7d4

General

Target

008c8ba48c7c8ecab08faf545aaabd81_JaffaCakes118.pdf
Size

45KB
MD5

008c8ba48c7c8ecab08faf545aaabd81
SHA1

ebcfa2db689b0875eaea3b22e7eba58379d217b9
SHA256

534f411a7270f63ef937cc8c4b95ebed9b17bc8f07b86fa9a67190213849a7d4
SHA512

4f42659d90248a2c8d709d0c3cee0f7953054fd89bed3a19fef377fc4c504001ee0f61c9084933cc3e53cf34900e76352689d4959156f8bd282e0dcf6bbcae0e
SSDEEP

768:UX2QcZMS8PA1UU4RvjxuVmqGDkUoyp9rlarWm/1PfJ048YNiiVv+KM:UX23Z84OUivVuVmqsk3CArW8Pmr2VFM

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4276 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

4276 AcroRd32.exe
4276 AcroRd32.exe
4276 AcroRd32.exe
4276 AcroRd32.exe

pid	process
4276	AcroRd32.exe

pid	process
4276	AcroRd32.exe
4276	AcroRd32.exe
4276	AcroRd32.exe
4276	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4276 wrote to memory of 1980	4276	AcroRd32.exe	RdrCEF.exe
PID 4276 wrote to memory of 1980	4276	AcroRd32.exe	RdrCEF.exe
PID 4276 wrote to memory of 1980	4276	AcroRd32.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 1324	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 2408	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 2408	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 2408	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 2408	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 2408	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 2408	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 2408	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 2408	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 2408	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 2408	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 2408	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 2408	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 2408	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 2408	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 2408	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 2408	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 2408	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 2408	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 2408	1980	RdrCEF.exe	RdrCEF.exe
PID 1980 wrote to memory of 2408	1980	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\008c8ba48c7c8ecab08faf545aaabd81_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4276

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B3BEDF5BF9F3A5474490F91E523D5DBD --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1324

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D8198C691B0C90B9188F798CDDC49145 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D8198C691B0C90B9188F798CDDC49145 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2408

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F802505BBF94B1B9579EDD2E11DB0020 --mojo-platform-channel-handle=2184 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1220

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1E9E88039C02433F36A10B4FDA135CB9 --mojo-platform-channel-handle=2352 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3528

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B82A76DC24F442FFBC6450AA6763ADCD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B82A76DC24F442FFBC6450AA6763ADCD --renderer-client-id=6 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3700

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=65F441FC90C9DD96CF243A71C57E09EC --mojo-platform-channel-handle=2188 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
7868a764de7dd207b1b8f4c9ba61a6f5

SHA1
d5f0e365d8fe1321a341039e81a94a8b90932214

SHA256
cb1938254656c8aa5d6690f9ee535c0542a20371b8d00263601176663bff3dc7

SHA512
847c951cdf16c80f0ea8497dd96f029f7a90f9ad671fa8a3da009acd32d3300d4244d3fe8a99af3f9b04dff9b46510993077d0d201196abf41373830768cf54e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
3c66e8fd67e26e4fe3d381ede66e3d43

SHA1
06cea82866fb6c39ee803863b21408cc6872ca98

SHA256
a5bdf75413a47949b9fec032d39437939c1aa715ee3dd121d02a6333327748fa

SHA512
2654f51efbdf2b1a464e54951ae8298d866c081eb2918b1d4940f2b93f43877d671a38eaea9402f5b0cb0f72290a62035e49937a3f22f0d2e207b9e6ccdc164d

Download Submit
memory/4276-28-0x000000000A2C0000-0x000000000A310000-memory.dmp

Filesize
320KB

Download
memory/4276-30-0x000000000A2C0000-0x000000000A2E1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads