08bd91bf9d838eb9877e6e2985cf742fd62e58cde5a6165e305a7d147335584f

General

Target

690924b74cbb5f1621946a198b9dd1fc_JaffaCakes118.pdf
Size

39KB
MD5

690924b74cbb5f1621946a198b9dd1fc
SHA1

0ba80dade0dc5581975bdab0d71c44d62455b98e
SHA256

08bd91bf9d838eb9877e6e2985cf742fd62e58cde5a6165e305a7d147335584f
SHA512

6b2be2446c2454ee4b7098c12de082d835936c8fe5166086e69baa51922ef0a953414b6ce4132ead2b8045531b3c05c89d0e8eeae74f73be1fc923d2ef6580b4
SSDEEP

768:dpihQHuXJ7dQDQCaFFg2RJfbX11/3LnyALe/HCUAn2cy5E5/XuMZmwgCLWar8cK:HApXJBQDQCaFFg2RJfbX11/3LyAqCUjj

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3364 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

3364 AcroRd32.exe
3364 AcroRd32.exe
3364 AcroRd32.exe
3364 AcroRd32.exe

pid	process
3364	AcroRd32.exe

pid	process
3364	AcroRd32.exe
3364	AcroRd32.exe
3364	AcroRd32.exe
3364	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3364 wrote to memory of 2888	3364	AcroRd32.exe	RdrCEF.exe
PID 3364 wrote to memory of 2888	3364	AcroRd32.exe	RdrCEF.exe
PID 3364 wrote to memory of 2888	3364	AcroRd32.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3588	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 856	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 856	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 856	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 856	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 856	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 856	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 856	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 856	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 856	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 856	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 856	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 856	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 856	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 856	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 856	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 856	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 856	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 856	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 856	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 856	2888	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\690924b74cbb5f1621946a198b9dd1fc_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3364

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3CF97E738E57F97B56661E1BA97EE53B --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3588

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E12B8E1A410077F08052CB717C115203 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E12B8E1A410077F08052CB717C115203 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
3⤵
PID:856

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C0423B0EEC074775BF719CBECB57E107 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:712

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1C7F55E33B965175AC483308467789D9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1C7F55E33B965175AC483308467789D9 --renderer-client-id=5 --mojo-platform-channel-handle=1804 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1232

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F0E6FC056AD8F483DA9E8F2E66059A37 --mojo-platform-channel-handle=2756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:5056

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B0F52AD55E6CDB8D40BA6004328EAA1D --mojo-platform-channel-handle=2868 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
98b5451c2a398ef130044e04eac675fd

SHA1
e296afa7cad4f5644e4acb597f1b1095e3c662d2

SHA256
7563fd048e740712dac622150290c56b9973572d7e79693d6466e3d9772d4bb3

SHA512
a8588cdcdd4b1bfd11229c1d38542a87508949e77528729d3d5c4884f87e3ab076223df3a79e14d6a86241d8f415eb2d0c19a4bca8ac90876927c96e7d922d4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
c4278151a5c0e295d0094b03da2bce31

SHA1
3d4e0add92b7b6f79d4381ecf75d60d899ec9d26

SHA256
75151f21785186772d16be55810ebad92fd212f25c6f41cb71a3b390f3f3e5ff

SHA512
6c419ec8e0ce1e8b740543b9fceea7aa6bb0ecf8a011abc66588ed1d1d1b2b7745f732b4fada316fdbaf4e65d56be6a9e331f8dc390c62c153d1ef365bf1f61a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads