f768945b6d4fa90a0a08c569aed83a57c02d29ca85e7baff8ace36f988743bde

General

Target

65a14594468972818f581957b1252fa1_JaffaCakes118.pdf
Size

21KB
MD5

65a14594468972818f581957b1252fa1
SHA1

a7f28135e3fb8cb1b9d713d469c42369bd01cf57
SHA256

f768945b6d4fa90a0a08c569aed83a57c02d29ca85e7baff8ace36f988743bde
SHA512

7e940afebc539bbe57745635edd85209cabb328e685bad50abde17270902e81ba514e0b890daf42e146e429b5e88f595aa52e4750b3335215ec5ab90eb9d6312
SSDEEP

384:VzdpX0G0KgpA7z1CVAU2RkQ6qulvSlsAvRJ0PZ+CH+cH4qqusAxx5M3oEz8d3edy:VzDX0G1Rz1CqU26fgGA5JcQCecJdn5bh

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1628 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1628 AcroRd32.exe
1628 AcroRd32.exe
1628 AcroRd32.exe
1628 AcroRd32.exe

pid	process
1628	AcroRd32.exe

pid	process
1628	AcroRd32.exe
1628	AcroRd32.exe
1628	AcroRd32.exe
1628	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 1628 wrote to memory of 3588	1628	AcroRd32.exe	RdrCEF.exe
PID 1628 wrote to memory of 3588	1628	AcroRd32.exe	RdrCEF.exe
PID 1628 wrote to memory of 3588	1628	AcroRd32.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 656	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 2576	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 2576	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 2576	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 2576	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 2576	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 2576	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 2576	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 2576	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 2576	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 2576	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 2576	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 2576	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 2576	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 2576	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 2576	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 2576	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 2576	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 2576	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 2576	3588	RdrCEF.exe	RdrCEF.exe
PID 3588 wrote to memory of 2576	3588	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\65a14594468972818f581957b1252fa1_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:3588

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=598368DBD01004BB1C3A415E9E52409F --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:656

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=62C4EABADEC2850BB6B53FD5012B45B2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=62C4EABADEC2850BB6B53FD5012B45B2 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2576

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=27DC4609F7740103B072E34E602C00C3 --mojo-platform-channel-handle=1804 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3604

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E5C41E27318BEB3A616D7269863C8F1B --mojo-platform-channel-handle=1856 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1036

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3877E542EB8333DF2510756E8C6B1F3F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3877E542EB8333DF2510756E8C6B1F3F --renderer-client-id=6 --mojo-platform-channel-handle=1964 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2444

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=730F7A77993A6FF436D7740C0CFD8E41 --mojo-platform-channel-handle=2668 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
a93fff55f1cae6bf90fc3ad439ce8f16

SHA1
910c83f10e13160cddcc9488367f4c2dbaf09abd

SHA256
7c4deec7e329c47f3c8e4d49252db9bce88ea33a6c01f6748cac4b8b1541ae57

SHA512
e2e44128b22ce95e93d511d063c84b250ee786c55b6a8a8c2692da70625fc9be46e3bd3ca9770ce73df1fb7f5850e5c0b0d25a86727fab984966ac780aa5ac7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
266944c63c1134941dda0ee062a4d539

SHA1
4fb1deda4797786be17428ad9df5bfa550c1748d

SHA256
0c06af4674c005a44bbb0fe1d32b58f1765c20594db61c46c0a0f49be48287ec

SHA512
736c7e38b0f1d397b94a176d8f233687235a4c68cea5a99f213e67554f24ad9203370248a7fbb94f69a6dde477861afc9fb59ea19cf59b717f25097187655f68

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads