14f4637e5ec4961d24469f6cf33e61e8edf4d9e3e89debc4a43dbcf8c4fd8985

General

Target

484903743f22a8c4646d726e159ef71c_JaffaCakes118.pdf
Size

7KB
MD5

484903743f22a8c4646d726e159ef71c
SHA1

4f52d6a856487e290858659fee6c5f2d759dfaec
SHA256

14f4637e5ec4961d24469f6cf33e61e8edf4d9e3e89debc4a43dbcf8c4fd8985
SHA512

01618740cf8b985b594cc75dd3829208b0164c350b3242ae2d042ed5cb65d137e12146e154f917bec4b91b713246beaaa71d014c4068ca33cc5ca28aaa288772
SSDEEP

192:2Rcd0Yg66s/a5t1McWtxAodpQF1YqWgD9TXKVB9sL:2ad0xhsPltGodCYTglX89o

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2652 AcroRd32.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exe

pid process

2652 AcroRd32.exe
2652 AcroRd32.exe
2652 AcroRd32.exe
2652 AcroRd32.exe
2652 AcroRd32.exe

pid	process
2652	AcroRd32.exe

pid	process
2652	AcroRd32.exe
2652	AcroRd32.exe
2652	AcroRd32.exe
2652	AcroRd32.exe
2652	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2652 wrote to memory of 4796	2652	AcroRd32.exe	RdrCEF.exe
PID 2652 wrote to memory of 4796	2652	AcroRd32.exe	RdrCEF.exe
PID 2652 wrote to memory of 4796	2652	AcroRd32.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 1136	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 2700	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 2700	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 2700	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 2700	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 2700	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 2700	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 2700	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 2700	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 2700	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 2700	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 2700	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 2700	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 2700	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 2700	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 2700	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 2700	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 2700	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 2700	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 2700	4796	RdrCEF.exe	RdrCEF.exe
PID 4796 wrote to memory of 2700	4796	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\484903743f22a8c4646d726e159ef71c_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:4796

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=49F9937DEA4FADDBE5A2E546D5D1CC71 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1136

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3B197B3DCA2CBF9BCCBE9F1DEAF8FE5D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3B197B3DCA2CBF9BCCBE9F1DEAF8FE5D --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2700

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B486969DBD0464A604BE94FD12EAF421 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4456

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E40D9ECC25651B773050576E041AA41D --mojo-platform-channel-handle=2424 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1612

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B68E0A6B6D8E10C74E501652AC3D2411 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B68E0A6B6D8E10C74E501652AC3D2411 --renderer-client-id=6 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3504

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3816BB73659B198B25D3D73F4475E7EB --mojo-platform-channel-handle=2708 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:228

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
0960594849bb7909ea414d80dcb6147e

SHA1
eef6222c3afa33ca874ee1489128bafd982682cf

SHA256
85b46c6fdb920e8c5e2f627bb79512794a6bd63f1d4873bde8682fd509df9c84

SHA512
92c552ca4ad7b8446833373226b9ad45eaa1a5e4abd80dcc37e86c1252bef8230c80193067719bd7d2983cad4f90c3ffcf9ac2a8e66526f43ff8d96f7567348e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
f551b18ce923742459c3cc65941d3907

SHA1
f5ad57f6fb31b6613507b96f2c8e892754dec887

SHA256
3d4fab650599bdc2eebcff3d20ce354d66929739c8bd4831a73c64f1d784da5f

SHA512
6faff599264b07b6dbfa8f14bfda103bf2152d218c210f6e6419a21bcb4674397f324f5f03a6282d2b1d230191b76e2984592537326a36688eba74192682d134

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads