512fa69ca9d5530be9df022bfeed1961f8a519c592970c0995976a04e1e9b9fd

General

Target

65c96f2ff83b6a2a9bb59e62def87442_JaffaCakes118.pdf
Size

40KB
MD5

65c96f2ff83b6a2a9bb59e62def87442
SHA1

02ca2ddda9c69caaa9af8fb7480639bbc7785df0
SHA256

512fa69ca9d5530be9df022bfeed1961f8a519c592970c0995976a04e1e9b9fd
SHA512

d54d4fc7bda8e96ed4480272d881121429553385f719ed4a5f9649bbd0826215a89491ebd3b640d704b2c9fd6744a18ab671f2121cc7731e902f4a85ec08d08a
SSDEEP

768:2gGzpDMrqrsvHBnX0gB8B/9Q4a9rsib2IT0MIsM+XM1AGUhuxBmB64AWTYfTM:jGFArqc1KIT0TsMDaGR664xSM

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4336 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

4336 AcroRd32.exe
4336 AcroRd32.exe
4336 AcroRd32.exe
4336 AcroRd32.exe

pid	process
4336	AcroRd32.exe

pid	process
4336	AcroRd32.exe
4336	AcroRd32.exe
4336	AcroRd32.exe
4336	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4336 wrote to memory of 1884	4336	AcroRd32.exe	RdrCEF.exe
PID 4336 wrote to memory of 1884	4336	AcroRd32.exe	RdrCEF.exe
PID 4336 wrote to memory of 1884	4336	AcroRd32.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 1780	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 2868	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 2868	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 2868	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 2868	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 2868	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 2868	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 2868	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 2868	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 2868	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 2868	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 2868	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 2868	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 2868	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 2868	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 2868	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 2868	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 2868	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 2868	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 2868	1884	RdrCEF.exe	RdrCEF.exe
PID 1884 wrote to memory of 2868	1884	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\65c96f2ff83b6a2a9bb59e62def87442_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4336

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EFA814635C8189EF8BFD13E12A678586 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1780

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=61DD3CCCA01A376C0B534E6284AE0B4B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=61DD3CCCA01A376C0B534E6284AE0B4B --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2868

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D65D6C9B78EE1000264FE75A9406A126 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1888

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6405A1459F075E2B527863B69C7485B6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6405A1459F075E2B527863B69C7485B6 --renderer-client-id=5 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1540

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=893C3739333DA299F97AB83FDFB778A3 --mojo-platform-channel-handle=2748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4000

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=38236445A3ACC31E7B4302A56998E6C4 --mojo-platform-channel-handle=2888 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
6dd07aa747cf5ce1800138e0e2945c11

SHA1
194e6230c49f41f6a45019be68a94f4e0c6950c9

SHA256
0b54f60855aa55e9a5713d20d83b290bc3e94b5b285782294dbd98b8da0cac82

SHA512
4c82e94f7a4750165d57d985a1d54d4c73d2d05352706d0c4b77a3a2acb4baf3837bcdd94c3c7ee9fd237935b4ad302822c0b06d18fa7ce3022a9b804ef73033

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
960c17b9541f37ab3b7b2804d562a74b

SHA1
980d27b1d6b1536383dc02238665a717338a5243

SHA256
c12867500afef6eff1873c11df78f8262e7eef225b47c8b5edae541732cf8063

SHA512
d3f9696b67b6e0ceb7bbede614d25dfc6fad52b1a3f88df39d48d51bd967a31d76d6ee82cf3ce49f33c3619ed8645dd9993dfa87d59385c67bfcab0e85231dc9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads