24189908ab6fcb889809d26ff197bce24cf37f0b80dfe07224be71a5e403c15a

General

Target

68512d1fd261702701425076b560f540_JaffaCakes118.pdf
Size

38KB
MD5

68512d1fd261702701425076b560f540
SHA1

c0524c97373edb72a274ea4e1cc5b460b9292079
SHA256

24189908ab6fcb889809d26ff197bce24cf37f0b80dfe07224be71a5e403c15a
SHA512

01fe487aa7da5a2ccce5ca1834796620c16fdafe6ab89346927b2c590ec88cea923df57df1e36839b3d203b1a5804540b3f8b91c8fc7188b73e5f7b7b84c2ec9
SSDEEP

768:+DXuMZmwgCLWarQE5HpuZmI0Fn2aGaIUKNQa33HXrKGAy4G7Wij1BwlnIsY2:2XFZmGWS58UI0Fn2aGaIUCQa333r5AyO

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1396 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1396 AcroRd32.exe
1396 AcroRd32.exe
1396 AcroRd32.exe
1396 AcroRd32.exe

pid	process
1396	AcroRd32.exe

pid	process
1396	AcroRd32.exe
1396	AcroRd32.exe
1396	AcroRd32.exe
1396	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 1396 wrote to memory of 556	1396	AcroRd32.exe	RdrCEF.exe
PID 1396 wrote to memory of 556	1396	AcroRd32.exe	RdrCEF.exe
PID 1396 wrote to memory of 556	1396	AcroRd32.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1948	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1576	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1576	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1576	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1576	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1576	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1576	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1576	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1576	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1576	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1576	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1576	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1576	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1576	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1576	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1576	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1576	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1576	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1576	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1576	556	RdrCEF.exe	RdrCEF.exe
PID 556 wrote to memory of 1576	556	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\68512d1fd261702701425076b560f540_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3D4E780A0EB2D258F83DD9E64869432D --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1948
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6A26CF7B4413D7B3E91F5D957222EA8E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6A26CF7B4413D7B3E91F5D957222EA8E --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1576
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=72BB43FB9D7C56B99F1F26B1F999B38E --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4336
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5C45338E6AB4017C3DB4996F87334C28 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5C45338E6AB4017C3DB4996F87334C28 --renderer-client-id=5 --mojo-platform-channel-handle=1856 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4704
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F64E2B4D81A46D51F0BD9D00B44ED708 --mojo-platform-channel-handle=2456 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4272
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9611F59F6301B974890CA3D9C2FB6BE8 --mojo-platform-channel-handle=2768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
fb2b8d8f3900c61536ae7c4f5298c89a

SHA1
8524f86f507eea6c1919382a82a09477a26eb2a6

SHA256
7648ac20174aeb524732cbef2a9ca2e4d4424c0266413f65d6750afdc1f166a3

SHA512
ba27f75c481f4c5788f286591f946cf8f05ef2c7269a5343cc1a464a79554049eb2c7c9349acfab5ce629afc7561b0f53ff5e0367c987ccdcd23881590735126

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
83e3188af7c458abad50986804cf5f2a

SHA1
d28e375dab6477dfa3466660c3957f05fb5f8159

SHA256
f9c3bb0e4b73e7674baea00b8e19644db644d0cb4c0682505cdf23788cadd386

SHA512
c2b73837243fd690d0ba406742a2b84bc93f0387bf205e38f9152222c836aaa73f660f725233a2390fc51e965e5c47132c386a0ebed7770f7027cc3de17cd6d6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads