7a193661d7ecba5b95199c7f8a784295c719f02ae7e55750fe6b1bddd31ca779

General

Target

68fb3b21b7368e74f3d66fab402aab94_JaffaCakes118.pdf
Size

45KB
MD5

68fb3b21b7368e74f3d66fab402aab94
SHA1

6be994cb71713eb286fdee86abbfca9ed2cb253f
SHA256

7a193661d7ecba5b95199c7f8a784295c719f02ae7e55750fe6b1bddd31ca779
SHA512

7ee63b18153107f5dcb44eb2d6bb0a9f2b3250aceb9293ea3beaace2d885d6dfdd34072ea365afc173f31bb6cc033f7b45c046909f88e9dd2584f83f87ffce22
SSDEEP

768:NdgGzpDE7KM+gA3/jR7GtGZ9/eb80tdP2zHXE4Ys3asX/Uu2Uc9LAmkiU40IZqn:gGFg7G/h0H2DETuasX/4Uc9kiBZqn

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3364 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

3364 AcroRd32.exe
3364 AcroRd32.exe
3364 AcroRd32.exe
3364 AcroRd32.exe

pid	process
3364	AcroRd32.exe

pid	process
3364	AcroRd32.exe
3364	AcroRd32.exe
3364	AcroRd32.exe
3364	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3364 wrote to memory of 2104	3364	AcroRd32.exe	RdrCEF.exe
PID 3364 wrote to memory of 2104	3364	AcroRd32.exe	RdrCEF.exe
PID 3364 wrote to memory of 2104	3364	AcroRd32.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 404	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 4716	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 4716	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 4716	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 4716	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 4716	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 4716	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 4716	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 4716	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 4716	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 4716	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 4716	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 4716	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 4716	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 4716	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 4716	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 4716	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 4716	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 4716	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 4716	2104	RdrCEF.exe	RdrCEF.exe
PID 2104 wrote to memory of 4716	2104	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\68fb3b21b7368e74f3d66fab402aab94_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BDA35E5FAC5F252E62EF8DD8BA5E1CD2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:404
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=90CAE32A8D3F08A631513768DD854570 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=90CAE32A8D3F08A631513768DD854570 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4716
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A79ECA85A34CA88E61B04B18FEDB430D --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2648
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=54A4CDB5020996337011BB038FC50B21 --mojo-platform-channel-handle=1928 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2568
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B4637FF6440354989843858D05198F8E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B4637FF6440354989843858D05198F8E --renderer-client-id=6 --mojo-platform-channel-handle=2344 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3664
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E5B6AB57B9E530A38E6A62CBA70128CC --mojo-platform-channel-handle=2552 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
1f52028480d62a85db76d0ccc65129bd

SHA1
51ca15afd4aaaddb9b047b9e253a717a48f467b6

SHA256
f4a6396bf47d7cc63ddac07081c3a1a5562738e8ac72478564c4e19d48493624

SHA512
00a6e82a643461cf10daf195b50c35083a7dba9f79613ec79fcf1803c949bc9b825ec76625ecfb06a461806f4b160a29e4f34c09c0b0e6d654c45559e2fee8a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
2656ea86ff4b0b4fe9e2537461a543a0

SHA1
2d934ba5616b05de9317541d093556becb7bf43b

SHA256
a59253482e20f9466ff56075962b20a225b9c95ee7c2ef8138d708a594fb2d20

SHA512
0899f8d1ac85b216cb044a997d86db2ebc7ca2cc79927d2415d408b26f18fbfd106cbd99b50faf0a325387ca1a741885d04cd256a321f87e232f212cbe16d911

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads