7d542de3cd9aa0bbb9a5ffe7007d804dd301e0c005ad564a96989b2bfae37740

General

Target

68d56a6e1de6b052d71c3133c36b7966_JaffaCakes118.pdf
Size

50KB
MD5

68d56a6e1de6b052d71c3133c36b7966
SHA1

b6506f6074861675bc8b8e84e58c3c64a51b79bd
SHA256

7d542de3cd9aa0bbb9a5ffe7007d804dd301e0c005ad564a96989b2bfae37740
SHA512

6cddc81bfb1a71193633e7a234d9fd5389d068320a3c7f53502835313fe3b50fb76ba6f3255e9e650e361fb6c5a8c32eda229c3e3af00e15bf09c645ecb72404
SSDEEP

1536:jGFue2KC2j+HcS5abxO/KzxpIoOczGUox38Ix42T18jGlu/NE:yFue2KxxUKz3I7OGUUDqljGluy

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

744 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

744 AcroRd32.exe
744 AcroRd32.exe
744 AcroRd32.exe
744 AcroRd32.exe

pid	process
744	AcroRd32.exe

pid	process
744	AcroRd32.exe
744	AcroRd32.exe
744	AcroRd32.exe
744	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 744 wrote to memory of 3144	744	AcroRd32.exe	RdrCEF.exe
PID 744 wrote to memory of 3144	744	AcroRd32.exe	RdrCEF.exe
PID 744 wrote to memory of 3144	744	AcroRd32.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 876	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 1252	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 1252	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 1252	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 1252	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 1252	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 1252	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 1252	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 1252	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 1252	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 1252	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 1252	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 1252	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 1252	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 1252	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 1252	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 1252	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 1252	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 1252	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 1252	3144	RdrCEF.exe	RdrCEF.exe
PID 3144 wrote to memory of 1252	3144	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\68d56a6e1de6b052d71c3133c36b7966_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:744
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=128315DC169E36FB1CDE5B2BB08808A6 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:876
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=64329ADF0B77A1D503627C0FF6E55802 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=64329ADF0B77A1D503627C0FF6E55802 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1252
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3BAA8D34AFD4575F7CE758CF554143CE --mojo-platform-channel-handle=1804 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4064
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2D4ABF52932FB67678A6838A12F188C4 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2D4ABF52932FB67678A6838A12F188C4 --renderer-client-id=5 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2912
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=53E0588F89F4D33B091C59F6EFEE3C10 --mojo-platform-channel-handle=2564 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4160
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=17118B3EA236F3C48AB949C98A0C2D6C --mojo-platform-channel-handle=1960 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
51bcd928c76be4ef89dca1e29e5c0a4f

SHA1
86526111fdebd15467ba7fb51d9f0066eda3211d

SHA256
d41019a65c2f7bc77d75e5aa762980dd2c36bc15ea8a0d08bdc63e14c17df68a

SHA512
61129900a1b0aec246a90c77b9aba9c774aea08419e7a04cec5828bedb433a6ad8f6e2361fc22727e6815e75b4ff326350e3fe5e15b63b321c1e6595af41220f

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
07dbbf38d0936a5d6e37b49dc883edf6

SHA1
17d2e8f43f3077836682ee2c98fa0671aa048066

SHA256
bc78a4c5e9f552ea349daff977a09b8aec032e75a6d6e8eb9b9d1a0be733bf64

SHA512
1508646004aad63cadbc4b49879f0d62c16a0cf0fa179803893cee0002a757ade8eebdee3dbc516d6fef7442c577870d3b41f8865b4127bae10a24ad2a8cce78

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads