3628b48e560a4c8dc39c98acfa135864402ad4a665d5e79dc8b002c62a3143e3

General

Target

63c36bf31213c2a940f0db850f8f28f7_JaffaCakes118.pdf
Size

50KB
MD5

63c36bf31213c2a940f0db850f8f28f7
SHA1

e417bd5b6b2c8dce1229a6cc086033e640ae3eb0
SHA256

3628b48e560a4c8dc39c98acfa135864402ad4a665d5e79dc8b002c62a3143e3
SHA512

0d1a7421ab58568cd9f258f6ca33e04954716e800215563603573c43d483115c850bc70bc0d2f91a7fee31bc4c549f74f0e3650f781bec32f1cab6a5230c8188
SSDEEP

768:pgGzpDIpr8aXEp1YzX6cxK3XXulcJnp+6FyiC28G/qevwC4cdFJ/tdlUMAE9O:KGFcpr3BPEp+65bRvucdFJ/tdCE9O

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3824 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

3824 AcroRd32.exe
3824 AcroRd32.exe
3824 AcroRd32.exe
3824 AcroRd32.exe

pid	process
3824	AcroRd32.exe

pid	process
3824	AcroRd32.exe
3824	AcroRd32.exe
3824	AcroRd32.exe
3824	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3824 wrote to memory of 4564	3824	AcroRd32.exe	RdrCEF.exe
PID 3824 wrote to memory of 4564	3824	AcroRd32.exe	RdrCEF.exe
PID 3824 wrote to memory of 4564	3824	AcroRd32.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 2464	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 1996	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 1996	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 1996	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 1996	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 1996	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 1996	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 1996	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 1996	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 1996	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 1996	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 1996	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 1996	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 1996	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 1996	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 1996	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 1996	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 1996	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 1996	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 1996	4564	RdrCEF.exe	RdrCEF.exe
PID 4564 wrote to memory of 1996	4564	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\63c36bf31213c2a940f0db850f8f28f7_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3824

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:4564

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E9803F321F1BB9F0DC6BE84A8A68FCB2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2464

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1BFEA0DDA831F7AC047063B747125BE5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1BFEA0DDA831F7AC047063B747125BE5 --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1996

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EED64098227C869204DAD60DBC5B77E7 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2008

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9B0DD8D95213D0914720DF25902B228F --mojo-platform-channel-handle=1944 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4568

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=552A25CF7E1C4621903F7936010DF2A9 --mojo-platform-channel-handle=2100 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:560

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=057EA8C8128AC16EE5C320E9930D9587 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=057EA8C8128AC16EE5C320E9930D9587 --renderer-client-id=7 --mojo-platform-channel-handle=2368 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
e1438574e113734f77cd59c4ea429e2f

SHA1
f1a3d3817e4c4d5ec1d32a0717d28d68deab05ec

SHA256
5840016f415cb333e91db913d64f6aadc6456d021f8a327826a6d0e58e9d35b1

SHA512
28417f9c918c894204ef33dcf6d2df6cfee7c8c20dc92c804be735732353351c026ebc973de12d7c4b04090eae695b454c1f7e903f252f5e48f36975124d5cfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
7e5888263b87fde36e0adba219227249

SHA1
7d79ae67b282dfad1406159839d16f7d6f57552f

SHA256
69655c4fd3522c5e5047ec4920fd70867b6d8b115915de81ae36d6bbbf1a7375

SHA512
ea1f423cfb336931f4b19d8e5cf7a98d9dc3442635ac1d2fa9a35f3f79956d151a5b8544fb2b45b8cdc004c35ad70a2f37fec698ec6442013c9f2a20cd6f0ede

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads