2bfedfa8fdee5e54f814d611ff8fa77fba3a1c5437e5a2393512a5535d2383df

General

Target

686b85507ee4566c434eae16886070ca_JaffaCakes118.pdf
Size

33KB
MD5

686b85507ee4566c434eae16886070ca
SHA1

4e5bd7a82b0d5f070851a199e768b5b994ae595e
SHA256

2bfedfa8fdee5e54f814d611ff8fa77fba3a1c5437e5a2393512a5535d2383df
SHA512

393bd1ae2170b922b08e240a9cf2eec6aa1eb45ea3cfb655b50694f548f305930dd797ef2571892543538648e5557432184b8d1ffa69ce7e66fc93bd39c9444a
SSDEEP

768:W2084dJc9Z4pKtVJxJELVNOrHTv/glhl+IahxV97BR4xipVLPSE5fXuMZmwgCLW9:I8aJOSKpJELVNWHTv/glhl+IahxV97BM

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1332 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1332 AcroRd32.exe
1332 AcroRd32.exe
1332 AcroRd32.exe
1332 AcroRd32.exe

pid	process
1332	AcroRd32.exe

pid	process
1332	AcroRd32.exe
1332	AcroRd32.exe
1332	AcroRd32.exe
1332	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 1332 wrote to memory of 4304	1332	AcroRd32.exe	RdrCEF.exe
PID 1332 wrote to memory of 4304	1332	AcroRd32.exe	RdrCEF.exe
PID 1332 wrote to memory of 4304	1332	AcroRd32.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4396	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4948	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4948	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4948	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4948	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4948	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4948	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4948	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4948	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4948	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4948	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4948	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4948	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4948	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4948	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4948	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4948	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4948	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4948	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4948	4304	RdrCEF.exe	RdrCEF.exe
PID 4304 wrote to memory of 4948	4304	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\686b85507ee4566c434eae16886070ca_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AD276A95B5D41DFF54A819D3239D27B6 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4396
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=79A312FBB049C4371441882B8801C0D1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=79A312FBB049C4371441882B8801C0D1 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4948
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FFB27CE6D5C9B3B1959127FD574C425E --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:844
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2C4F3E02EF1B3C55C432082D6A617EF8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2C4F3E02EF1B3C55C432082D6A617EF8 --renderer-client-id=5 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4416
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DE99E8100CDBCB71EB73E10040CF668D --mojo-platform-channel-handle=2572 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3200
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6B08AE1F67A17B03EE207732B5AB55CA --mojo-platform-channel-handle=2676 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
f1c3833a0817a72fe6910285de41bc03

SHA1
a9471c6957ce150c19f07c690ae3ac998819fce4

SHA256
24e26b143e0e837a97fa5d5d153c42fed135dca763a630e1f333b549faae456d

SHA512
c011d272e6aff49e7b88dc610170f696a242939e73e7e45b52cd5249e7c9947814737704a64e07f79d8047c25b3fa732588f7debf9ec05052673f9ad88f9978b

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
579729d2dd43b9edb1451576b2f0a841

SHA1
997401c911edc6097dd7383ae2dd4f3866699930

SHA256
70a39b030d875a4f1c5e0ddd2d3d0167b64e0d1eac566c303611de2ece5a7000

SHA512
2801d237dba957895ef6a82419852e5cdf56a9d893e7ef6c0c4731137fb82a9acbc4584c3d90b710bab72d8540f2e883856dda4bd1e24e41471c48c60cf6922c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads