2cad66427de168a44613810fdc8e1b6ba31fc02a49ebd386e1c8a19a4a20fd76

General

Target

484701665600470a9e916bbf8bda6e68_JaffaCakes118.pdf
Size

63KB
MD5

484701665600470a9e916bbf8bda6e68
SHA1

a45aa31bc2f27f953bbff29459cc9f14c089fe61
SHA256

2cad66427de168a44613810fdc8e1b6ba31fc02a49ebd386e1c8a19a4a20fd76
SHA512

de736ec440104dd62958c5a1106719cd350cbbb43703fac8eb61475e9d6c39efaa51603da055aab97325915c0d3be96606a951f819c786c0622f81cbae78faaa
SSDEEP

1536:kGFjpHAVZ1xIziqR1nw5n2Fh1rtihA+p0LQLBO6e:xFjpu4/RwF2Fh1Z01WA4

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3780 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

3780 AcroRd32.exe
3780 AcroRd32.exe
3780 AcroRd32.exe
3780 AcroRd32.exe

pid	process
3780	AcroRd32.exe

pid	process
3780	AcroRd32.exe
3780	AcroRd32.exe
3780	AcroRd32.exe
3780	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3780 wrote to memory of 848	3780	AcroRd32.exe	RdrCEF.exe
PID 3780 wrote to memory of 848	3780	AcroRd32.exe	RdrCEF.exe
PID 3780 wrote to memory of 848	3780	AcroRd32.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 1012	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 2576	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 2576	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 2576	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 2576	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 2576	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 2576	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 2576	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 2576	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 2576	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 2576	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 2576	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 2576	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 2576	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 2576	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 2576	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 2576	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 2576	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 2576	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 2576	848	RdrCEF.exe	RdrCEF.exe
PID 848 wrote to memory of 2576	848	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\484701665600470a9e916bbf8bda6e68_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3780

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1F4E31147BA6B29EB04BBE0B3FD063F6 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1012

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0F3A69D4260EC9E092DF949F5FC50E72 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0F3A69D4260EC9E092DF949F5FC50E72 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2576

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E40C987163B742477EAEAC27C6601748 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2800

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3601CCD6F879E5B2B372FBA0DC2DB5B5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3601CCD6F879E5B2B372FBA0DC2DB5B5 --renderer-client-id=5 --mojo-platform-channel-handle=2432 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1632

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6CD7C4CAAB3D8BCB944DE40B2E6B19C2 --mojo-platform-channel-handle=2728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1000

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B8774DC7F6E3BB3A571F8812212F7DBB --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1320

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
1eb3d27a5b5a6df9bc39907bc2972303

SHA1
53a3e3c301bf8f3ad89ea5ab94439c0a9fcf6470

SHA256
e0094100bbfcd0d5cf93c9eec0d7b7c84fba9bdada17404bb9e666b51544a743

SHA512
05bcf17947715319b4c27ab787d9c182745c2e810cfac28358b6710e0f4fdf22ed79c6e2b43c9b53fb3109e10c1b513d3eca5cc3a7dfaf74a003a3500b452be8

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
a1e73b190bc547d2883924c4c958c55b

SHA1
e0a50d968060ab85d772d1c5bd6afb6c88458305

SHA256
93b8ac82faaef0b478b51092361207a3cc1ec84627d180c4dd604961333a74c0

SHA512
86a317f91f37112c02faf9547a0d7a5de02a4e4329b701f9fbd68863291e7d1d451cdf3c31e3a1c0be48155d847ffa81b7b9fd685784f958907ebdc6feff0c19

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads