fad2efece5d9397f8ba4230c26913d26da8015575eba50e393bb2d0237c0b43f

General

Target

61314a26377b4d528e4fbf761d69fc1d_JaffaCakes118.pdf
Size

40KB
MD5

61314a26377b4d528e4fbf761d69fc1d
SHA1

000736ec69cd6eebef7bfaa3b4e690cba7266bce
SHA256

fad2efece5d9397f8ba4230c26913d26da8015575eba50e393bb2d0237c0b43f
SHA512

48c17e497191a959f714dc2b2b30a0e8411b1330fc7f0b0b93aa9bda7c13046b8ea47a36a79c4e3f5199f24176d3ecd43396d77fad92bfa1fd9894a30d9b5823
SSDEEP

768:OgGzpDMpvWiUK02jNd8XKUiKmUt+cFgVqUCj4tF+p/oHwpLYquekwabnyHJz3C:rGFwpvvZcGgFEF+SHwmpwHJz3C

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1660 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1660 AcroRd32.exe
1660 AcroRd32.exe
1660 AcroRd32.exe
1660 AcroRd32.exe

pid	process
1660	AcroRd32.exe

pid	process
1660	AcroRd32.exe
1660	AcroRd32.exe
1660	AcroRd32.exe
1660	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 1660 wrote to memory of 3844	1660	AcroRd32.exe	RdrCEF.exe
PID 1660 wrote to memory of 3844	1660	AcroRd32.exe	RdrCEF.exe
PID 1660 wrote to memory of 3844	1660	AcroRd32.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 2640	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 5052	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 5052	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 5052	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 5052	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 5052	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 5052	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 5052	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 5052	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 5052	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 5052	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 5052	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 5052	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 5052	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 5052	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 5052	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 5052	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 5052	3844	RdrCEF.exe	RdrCEF.exe
PID 3844 wrote to memory of 5052	3844	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\61314a26377b4d528e4fbf761d69fc1d_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:3844

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=368140519F09D15D540C03859D17FCFA --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=368140519F09D15D540C03859D17FCFA --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2640

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EDD929FB8ACEE232FA707E622983E096 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:5052

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E6CF8CC4D80D55284136DB9B2EF6A5F9 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2668

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2C739615502F24DB3CE9E1CC5F883A00 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2C739615502F24DB3CE9E1CC5F883A00 --renderer-client-id=5 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4708

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1F776EB5067C68E30E2A43EE0F5194A0 --mojo-platform-channel-handle=2656 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:396

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=43486643386D2A00F9E288C52087CB96 --mojo-platform-channel-handle=2356 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2444

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
a8ffbc880143dbaeeb24b9df1b80223b

SHA1
a78c8f49baf3b3f709449be10202f1fad654caf1

SHA256
c7302b5808ab21dc24197a085dfd5662f0ade95fdeb29162704e89a6c989ed42

SHA512
e99af4618fb747ed97360fe4b2d8bdec6359f7b804e74f2bf297f1993f292fb625a09420e1fd4142e62fb0e429f4a5939f83dbe60e1644b60a61f03b582f63b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
e1add47f04821acbf68f880f0444cb4a

SHA1
f716cb4819d1652d27a5a393d1bc7954b16fff63

SHA256
da5f45eda61a2c37b55060a7e015eded4583d59c5e5faad20f0e16359a599e33

SHA512
aeec7cb6a2531cb2672cf4c369587007d464db946910b8c19bae24baade13fdf401165183af88eb6dfef46ada6a8a97429e85d60b0a54142f023cbcd658419e9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads