ccb52778b051ca764723df36cbb1aaa65f08ee786b5da5d515d6fdd75e0c46ca

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65e76d9b3a7deef63e9201a9f77b04f0_JaffaCakes118.pdf
Size

44KB
MD5

65e76d9b3a7deef63e9201a9f77b04f0
SHA1

a661e7f71c93b2ad6f28e1bf13db4891c43e9694
SHA256

ccb52778b051ca764723df36cbb1aaa65f08ee786b5da5d515d6fdd75e0c46ca
SHA512

670c941bf306ac8ea3415c5845ccb8e8ca846b9e4d331a69c37b3fb9f48e2cb5051d34eca52e83be66dbdea321ce8c4328360fabfc7f2de36619b493eb738453
SSDEEP

768:rXuMZmwgCLWarBsE5Hpx/jAuKd8gDIFUU3x6BJycD34qf57Y/1hpItefHxeCsoNT:rXFZmGWSBVj/jAuKd8gDICex2zLtYjeA

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4656	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4656	AcroRd32.exe
4656	AcroRd32.exe
4656	AcroRd32.exe
4656	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 3104	4656	AcroRd32.exe	91
PID 4656 wrote to memory of 3104	4656	AcroRd32.exe	91
PID 4656 wrote to memory of 3104	4656	AcroRd32.exe	91
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3208	3104	RdrCEF.exe	93
PID 3104 wrote to memory of 3192	3104	RdrCEF.exe	94
PID 3104 wrote to memory of 3192	3104	RdrCEF.exe	94
PID 3104 wrote to memory of 3192	3104	RdrCEF.exe	94
PID 3104 wrote to memory of 3192	3104	RdrCEF.exe	94
PID 3104 wrote to memory of 3192	3104	RdrCEF.exe	94
PID 3104 wrote to memory of 3192	3104	RdrCEF.exe	94
PID 3104 wrote to memory of 3192	3104	RdrCEF.exe	94
PID 3104 wrote to memory of 3192	3104	RdrCEF.exe	94
PID 3104 wrote to memory of 3192	3104	RdrCEF.exe	94
PID 3104 wrote to memory of 3192	3104	RdrCEF.exe	94
PID 3104 wrote to memory of 3192	3104	RdrCEF.exe	94
PID 3104 wrote to memory of 3192	3104	RdrCEF.exe	94
PID 3104 wrote to memory of 3192	3104	RdrCEF.exe	94
PID 3104 wrote to memory of 3192	3104	RdrCEF.exe	94
PID 3104 wrote to memory of 3192	3104	RdrCEF.exe	94
PID 3104 wrote to memory of 3192	3104	RdrCEF.exe	94
PID 3104 wrote to memory of 3192	3104	RdrCEF.exe	94
PID 3104 wrote to memory of 3192	3104	RdrCEF.exe	94
PID 3104 wrote to memory of 3192	3104	RdrCEF.exe	94
PID 3104 wrote to memory of 3192	3104	RdrCEF.exe	94

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\65e76d9b3a7deef63e9201a9f77b04f0_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EE035B2FADF158A4BD96E7E26532956E --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3208
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4409C971451241E9EC8FF71FC335FEAB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4409C971451241E9EC8FF71FC335FEAB --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3192
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0D348D42CAEDA473F54CC295C06A722D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0D348D42CAEDA473F54CC295C06A722D --renderer-client-id=4 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4988
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=65FE3F0F5693EBDB89931A9DE0E128A1 --mojo-platform-channel-handle=2584 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1976
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2008FCD77B0B574014E495F05B090DFC --mojo-platform-channel-handle=2824 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4544
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7AF23BE062D60393A96F3E13EF4F73B1 --mojo-platform-channel-handle=2112 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
9df934bd9da343d22178b516882fc64d

SHA1
e8f41a876f74997da26e851c2102e43fbacf43b9

SHA256
6b66514cc69cc1c56f256a7e68e9c35335eebf023fefb3f5ce7cdf6f7148fd11

SHA512
3787ecb0a18af6f27edd061242d2210f5e38ed7c620fe44726dde8b04b548237b4d44f7c2c57c8524cc6cb0f016c454ce3e697e5a90998f0cef05c012228778b

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
f3e95d836de00baa44a3cfa56b999d9a

SHA1
79814cfd93a0e7048ebf681ebcd0da75218abedc

SHA256
3037c181b4a73b421af955b451b1fa7c2098c96ced745c4581c61e6044a259ef

SHA512
015c793715ada24784faf72ec9227b4f18c35febb3ce1d25236cae18d20f66b5c2d6949a16ce7e669122dc951c25cf96ff0e6f57c6a03e4344f1ff1b2a79f94d

Download Submit