f94dbe957f8eb7e9d03a0a19af700ed82d0a2f9c5070cc99e52dd7af94e32468

General

Target

64b5b2314be3d105ed22c4fe294cd0dc_JaffaCakes118.pdf
Size

34KB
MD5

64b5b2314be3d105ed22c4fe294cd0dc
SHA1

88cab7f3502aef3733228b9fa22174ca6aba2c2a
SHA256

f94dbe957f8eb7e9d03a0a19af700ed82d0a2f9c5070cc99e52dd7af94e32468
SHA512

9c2741fd8a3f4f0cefa7246a96f7724c6e6078aeb526010f76920596c06a7dcbf45b441c4f61635175b27a10fa333a69f7164a191156e4c18a3829e02bc822f5
SSDEEP

768:kkJYJOYDBeOWbeSBi4pRbq/TPW3HROMhkal71HJuEBVUOrBTU/plOlNIlh19oLEA:k+oDBeOWbeSBrqb+3HROMhkal71HJuEx

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3080 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

3080 AcroRd32.exe
3080 AcroRd32.exe
3080 AcroRd32.exe
3080 AcroRd32.exe

pid	process
3080	AcroRd32.exe

pid	process
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe
3080	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3080 wrote to memory of 3656	3080	AcroRd32.exe	RdrCEF.exe
PID 3080 wrote to memory of 3656	3080	AcroRd32.exe	RdrCEF.exe
PID 3080 wrote to memory of 3656	3080	AcroRd32.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 3052	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 4548	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 4548	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 4548	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 4548	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 4548	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 4548	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 4548	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 4548	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 4548	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 4548	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 4548	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 4548	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 4548	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 4548	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 4548	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 4548	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 4548	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 4548	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 4548	3656	RdrCEF.exe	RdrCEF.exe
PID 3656 wrote to memory of 4548	3656	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\64b5b2314be3d105ed22c4fe294cd0dc_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7C8372E34636E514DBB6A2CED051E63A --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3052
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A291797C849740C691990CDC78318CBC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A291797C849740C691990CDC78318CBC --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4548
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9D7355A9CFA142B6B27D67915537EA00 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4804
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6B44DB93DC79DFC157C10E79B024866F --mojo-platform-channel-handle=1804 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2520
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8B328C6B03B70070E37C016DD5438222 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8B328C6B03B70070E37C016DD5438222 --renderer-client-id=6 --mojo-platform-channel-handle=1940 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:5052
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8E48F696A42B470425BF030A35E283EC --mojo-platform-channel-handle=2684 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
9e09d61accf269019ff29d1de79de250

SHA1
a6f6573e662cb971c489d4def9ffd4a8c501f746

SHA256
829e2626eaa1260e99b30df82d30345ed8ae3de96a19af2548009b6011232d36

SHA512
4635e89443ef76f92f6444f1a49307c55e968190bb3a44eddbef4105b4ee58d0d6276681116408b800d026b4d4a3bb00aebd736082e8ed9a74f9d791830610a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
679b85113cb5505a732cd896553466a7

SHA1
9d92e32e138e28733c7a4300b7c9226c37c271f0

SHA256
6ccf7c9cf7846d3185aca2e969e985ea48449fbcce263d28d30d53128c31f872

SHA512
7e3b8c13c5c7be89280aa2532b09a323c13ce5521db67fb9e77afbeb7e80c5e407ac41e7c926903b22c11db9729235df54d2507ca959cababf6ec1f7bb65a7ed

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads