98cc6c39a5d89f3d48cbfdf136310b14eb64851aa03ca508b1e6442b1026d7d1

General

Target

65c715657b9c805f166a77ab24cf743e_JaffaCakes118.pdf
Size

31KB
MD5

65c715657b9c805f166a77ab24cf743e
SHA1

082809fd9e9f1899f01b4d7a27994ed48ee8f0e3
SHA256

98cc6c39a5d89f3d48cbfdf136310b14eb64851aa03ca508b1e6442b1026d7d1
SHA512

6a851d9d450a8a06cfeb6eb04ca0e097996a24f29e991fa5a76e67df2642b6ffdd04b6bd2c12d636c1e0aaa2fe41cdf2c344e38ec9fbf735c284612be890b74b
SSDEEP

768:WXuMZmwgCLWar3kZZVybcLfV8y89GnufhEiVUEIHlaIcpF:WXFZmGWS3kZZVscxf89Gnuf6CUEIHla5

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4632 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

4632 AcroRd32.exe
4632 AcroRd32.exe
4632 AcroRd32.exe
4632 AcroRd32.exe

pid	process
4632	AcroRd32.exe

pid	process
4632	AcroRd32.exe
4632	AcroRd32.exe
4632	AcroRd32.exe
4632	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4632 wrote to memory of 2596	4632	AcroRd32.exe	RdrCEF.exe
PID 4632 wrote to memory of 2596	4632	AcroRd32.exe	RdrCEF.exe
PID 4632 wrote to memory of 2596	4632	AcroRd32.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 5424	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 4544	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 4544	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 4544	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 4544	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 4544	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 4544	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 4544	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 4544	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 4544	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 4544	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 4544	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 4544	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 4544	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 4544	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 4544	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 4544	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 4544	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 4544	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 4544	2596	RdrCEF.exe	RdrCEF.exe
PID 2596 wrote to memory of 4544	2596	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\65c715657b9c805f166a77ab24cf743e_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4632

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8C95BDD23D50DD7A7E1081C7ADFA88EC --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:5424

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6D5E5C9429367F48F8F164537F6429B6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6D5E5C9429367F48F8F164537F6429B6 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4544

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6F18F5B4EC5DD4FEC94D2FC5B2E63109 --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:6048

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BE27CCDF26C0C74A62143E7E7E1EF55E --mojo-platform-channel-handle=1892 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1796

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4F96600CF4A71B63CE21C3FB400CEE0A --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3496

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=648A9638FC33E80B49780DFD8FE9713E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=648A9638FC33E80B49780DFD8FE9713E --renderer-client-id=7 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
f26b024ea2b344153fdb12012a0fcba1

SHA1
4e180cf17131bff01a129cba8d133d9705a09216

SHA256
df1071f6217822a6f7028746a0a6726ee1a8d49e1db6fb43be5d7e2302e9135a

SHA512
e2284decfa39d94d463e39486634db87c67e43feacf3ee024db6c62748364d2df749ebd4871ab241923a6760654a1c209453bcd106dd0934e528346e5b74e7cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
58775be5ffb8a2698e18ebb18830a7d9

SHA1
0ec7e5929a55feb3aa23cf59d07087674ddac5db

SHA256
49eb9dce244c92d068b78804cf4d4e3ebd6a746fca1d1c458686d772451e25d1

SHA512
136f5d7bd5c2557682a92cc42560e79a8bba54d9d99f3ccb83a8820601c11039decf23645ef8a4b315cb4d2e3c0a097f52cfdf8d70b2dc58408f8b51d12b910d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads