aa464633c2e099516dd79b62e67d5c809bfd6e37dc462a332532fb58050d3acf

General

Target

64788db38bb43293de25ab5bbfe3b992_JaffaCakes118.pdf
Size

37KB
MD5

64788db38bb43293de25ab5bbfe3b992
SHA1

f42b78f9c0b54fa17b3768949288348d3b2e66cd
SHA256

aa464633c2e099516dd79b62e67d5c809bfd6e37dc462a332532fb58050d3acf
SHA512

9dfd419d174630f0b600a842f7d773078bf42a9054a0e6459c810d35e98d546ddded2a5484efe1a432a84f0e4c8925f39a588b8ccda9a174824cb9941b1ab8b6
SSDEEP

768:YXuMZmwgCLWarkCYjhy2StbeQXXScWv4jLd+Tl10PLV9u4pqR8:YXFZmGWSryy2S5XCkjLd+T4PpE4pw8

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3680 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

3680 AcroRd32.exe
3680 AcroRd32.exe
3680 AcroRd32.exe
3680 AcroRd32.exe

pid	process
3680	AcroRd32.exe

pid	process
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe
3680	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3680 wrote to memory of 4136	3680	AcroRd32.exe	RdrCEF.exe
PID 3680 wrote to memory of 4136	3680	AcroRd32.exe	RdrCEF.exe
PID 3680 wrote to memory of 4136	3680	AcroRd32.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 3992	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 4964	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 4964	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 4964	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 4964	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 4964	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 4964	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 4964	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 4964	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 4964	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 4964	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 4964	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 4964	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 4964	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 4964	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 4964	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 4964	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 4964	4136	RdrCEF.exe	RdrCEF.exe
PID 4136 wrote to memory of 4964	4136	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\64788db38bb43293de25ab5bbfe3b992_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3680

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:4136

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DAD0EF5CFECFFCA67903FB6A823DBFB4 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DAD0EF5CFECFFCA67903FB6A823DBFB4 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3992

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4514A578B188620F38049AEC9C58BD28 --mojo-platform-channel-handle=1788 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4964

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C8EA9CF4D44E7D539BA954DB56364252 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2588

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=ADC039D771C7AC694693AC4FBB638639 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4112

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BAB6F6040239F79A69A0A955BE200A2B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BAB6F6040239F79A69A0A955BE200A2B --renderer-client-id=6 --mojo-platform-channel-handle=1984 --allow-no-sandbox-job /prefetch:1
3⤵
PID:5100

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BBF146D31FF9342333F3AB8AB3A004CC --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:5044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2716

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
833bf249f815e3502a4b144966cebf87

SHA1
1ab9b027128f77aebdc3f6538231fef45054cd63

SHA256
cb15fc6cfdc94e194f3211dd608156952fa6ef1ccb794fe343bff34d84b4c9f5

SHA512
466f7333d301e5811477f387d507cec4b27066ba68b714073374dd2dee3a77d416621c2b7edf1d020bd72f3ef02b93937de5601016dc8e8d3252a0b03205d4d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
d87c442ee14ce8948ac63bd30d4d9308

SHA1
bf3714548d8cc0084a08ca919d0f21f5a26d8302

SHA256
ed5f43972eed8669b03c1a891619c7cbd900715d14e9c35eb27c1cd17a6aabbf

SHA512
f3eefdb00b0fc3e571b64e7c36c4d3bebb3b25d90d074a56f44e8b64667edc39dcbc84a1ac369f880a30dae0f8e81b4efdc1f34ae45bf9701dc5c63cd67f5427

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads