b1a51a73b95378864c9e6dcb870f609a4590ade357b557ae35a5b49a7ab1d42a

General

Target

65d31738150a1e6b2a65720508b84411_JaffaCakes118.pdf
Size

43KB
MD5

65d31738150a1e6b2a65720508b84411
SHA1

2905e90782ca171272fb9426782c5d7c0af247bc
SHA256

b1a51a73b95378864c9e6dcb870f609a4590ade357b557ae35a5b49a7ab1d42a
SHA512

e87e643f0ee4c9d3a960d6f06d944106eab77c3022c3e8837c8e9937ddfe6b73100f8365835237eecd7625fbd01313659ea9267ac7061b7c2802b92df8c5cc7e
SSDEEP

768:EgGzpDfpczY3PTXTHgTLio52+CNvIpla+b7zQmR1whpO0NEDDNW25JFo321Ilhu9:xGF7pohCcvky06vNvNCuC8

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3492 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

3492 AcroRd32.exe
3492 AcroRd32.exe
3492 AcroRd32.exe
3492 AcroRd32.exe

pid	process
3492	AcroRd32.exe

pid	process
3492	AcroRd32.exe
3492	AcroRd32.exe
3492	AcroRd32.exe
3492	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3492 wrote to memory of 2760	3492	AcroRd32.exe	RdrCEF.exe
PID 3492 wrote to memory of 2760	3492	AcroRd32.exe	RdrCEF.exe
PID 3492 wrote to memory of 2760	3492	AcroRd32.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 1092	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 2032	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 2032	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 2032	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 2032	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 2032	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 2032	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 2032	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 2032	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 2032	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 2032	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 2032	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 2032	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 2032	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 2032	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 2032	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 2032	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 2032	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 2032	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 2032	2760	RdrCEF.exe	RdrCEF.exe
PID 2760 wrote to memory of 2032	2760	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\65d31738150a1e6b2a65720508b84411_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3492

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=14481DCCC4E6C071247C6A54579AC1E9 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1092

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C1CAEFBB1C87C49ADA6236D555780773 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C1CAEFBB1C87C49ADA6236D555780773 --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2032

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E5CA2626047D6DA2617794A8F567BC21 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3156

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2675FD93410A66C203DDA16CCB5D0F06 --mojo-platform-channel-handle=1960 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3924

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=82B106ADC3FC4EE1AAC0B33FAD3C226D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=82B106ADC3FC4EE1AAC0B33FAD3C226D --renderer-client-id=6 --mojo-platform-channel-handle=1716 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3600

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FDF7AF2AE246D6F53321159C8036A69D --mojo-platform-channel-handle=2708 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4000

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
fd0c61cc04af627a5bd6916fcb934a10

SHA1
e623cb9424ea4274637b3f3192a381635315ee27

SHA256
fb550d9de86b3259a61040486f658167c37428e737f4078dc34720736b9efbb1

SHA512
6435f8db25569d7aa30d06b665a3c88b5fb76e82a12f80c345abee14a8bfaf4272fe003ca23d8557b192e02d18eeddc7eb41d6764c68d64d21c9c327d363e0d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
e28bd24b832ce23859da69e7be754d88

SHA1
fe82c199a952c96e923e141cfbb83deb05e6d28c

SHA256
e6c5f978c0046c680426a881960d87c25ae9e5f6aacbe92155444fc1b9f2ab32

SHA512
dd10338274ea4930cbbd339a071cb71f643ccc46ab1c7316c5cd866a882de2165cc228db5f155e4fe085a48465445ba34ef62c8815855d0ab501d993c9f63151

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads