749b2b99f5861482686a68861ae452ec96df02e0baed1b8deff4863c18359e1d

General

Target

5a6d58c510514f300e75f03712b49fa1_JaffaCakes118.pdf
Size

11KB
MD5

5a6d58c510514f300e75f03712b49fa1
SHA1

4dc2af2b55b269c3a3d769a79d047bd39636f593
SHA256

749b2b99f5861482686a68861ae452ec96df02e0baed1b8deff4863c18359e1d
SHA512

3d698075061398e4b5b0ef3d002cde4ff3cd61fc78e08ebe8cfa5bdf28e82285c93f00a3290356f7b65aeeeef9697475a711085bcb4597634c3764a8c9c69eb9
SSDEEP

96:4XswUk+ZLspEhod2U2dLA0t2Fa1baVPJzivO:4Xj+9spg6p0tsd9Z

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4776 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

4776 AcroRd32.exe
4776 AcroRd32.exe
4776 AcroRd32.exe
4776 AcroRd32.exe
4776 AcroRd32.exe
4776 AcroRd32.exe

pid	process
4776	AcroRd32.exe

pid	process
4776	AcroRd32.exe
4776	AcroRd32.exe
4776	AcroRd32.exe
4776	AcroRd32.exe
4776	AcroRd32.exe
4776	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4776 wrote to memory of 4880	4776	AcroRd32.exe	RdrCEF.exe
PID 4776 wrote to memory of 4880	4776	AcroRd32.exe	RdrCEF.exe
PID 4776 wrote to memory of 4880	4776	AcroRd32.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 4640	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 1576	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 1576	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 1576	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 1576	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 1576	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 1576	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 1576	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 1576	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 1576	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 1576	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 1576	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 1576	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 1576	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 1576	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 1576	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 1576	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 1576	4880	RdrCEF.exe	RdrCEF.exe
PID 4880 wrote to memory of 1576	4880	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\5a6d58c510514f300e75f03712b49fa1_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4776

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:4880

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3B59F4302FB8545399AC4D4DC434091F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3B59F4302FB8545399AC4D4DC434091F --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4640

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=885544ABE0B7CEFC03E4E0B1C08B2A55 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1576

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=09F9A82BF56C8BB14CBCC3E007F25077 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3528

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B98D565FF5C54D2ACC3438C700D2063E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B98D565FF5C54D2ACC3438C700D2063E --renderer-client-id=5 --mojo-platform-channel-handle=2012 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4844

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=38508A1309C68345A40DEB6EE54C3329 --mojo-platform-channel-handle=2444 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4524

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=66823046E648C8F4BD7E747FC23D7030 --mojo-platform-channel-handle=1608 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2920

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
77223ad42dff4d4427c46500a3e48839

SHA1
68d64c4069472979969506915d7bc1bcbd4e0ec3

SHA256
08371fb25a772df886495d247f3151b1f4718af8b39eb2f4fa080fe5f1573095

SHA512
78de86282119c90248ab4207200f8ca02035148aba0522dd41c9d00e02675fc9c1342f72dfa2cf1c6ee0285d48b6d605c7b2e5fd2681d984fe371242516171b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
6d9d55e86584546dfcd6645e122447e0

SHA1
2fece5777ca610f416828693b913bc10d5f14d5c

SHA256
565826998677534f5a76c5e46cc79bdb9b5051282a8b95432b8365ac515e3ce2

SHA512
7013d7736c82c1ebef58f078706b6b11fcdb3162fc9c2952258ad47cb9f66beee6a3f59a1d5ddcd5b5d8d361223d9b4352d0a7f06c5ae26d9a9c37321ed154f6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads