a36b1a7dc22eda1a8549849b146acb5fe37fd3f41d537e08bde5c29711eccdaf

General

Target

6888360c2458d8307491410f0da87f83_JaffaCakes118.pdf
Size

59KB
MD5

6888360c2458d8307491410f0da87f83
SHA1

3d471562b59a93670222a2e943495b65cb131fd2
SHA256

a36b1a7dc22eda1a8549849b146acb5fe37fd3f41d537e08bde5c29711eccdaf
SHA512

2707cc7ac163508193d16d61fdcf92048a760899424d0ac75bf25a2512739ea93a8f0968cf3c602378525bb00e2ab49d6b0020f5d45aa7cb4358e2701eb17251
SSDEEP

1536:tGFyehWRCAfV5V050VhR03D0QHoKHwm7IsmIo/A6ia6rGstJ6T:wFyewbbVidb8smr/bYrGstc

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

212 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

212 AcroRd32.exe
212 AcroRd32.exe
212 AcroRd32.exe
212 AcroRd32.exe

pid	process
212	AcroRd32.exe

pid	process
212	AcroRd32.exe
212	AcroRd32.exe
212	AcroRd32.exe
212	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 212 wrote to memory of 5112	212	AcroRd32.exe	RdrCEF.exe
PID 212 wrote to memory of 5112	212	AcroRd32.exe	RdrCEF.exe
PID 212 wrote to memory of 5112	212	AcroRd32.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 2860	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 4800	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 4800	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 4800	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 4800	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 4800	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 4800	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 4800	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 4800	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 4800	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 4800	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 4800	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 4800	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 4800	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 4800	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 4800	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 4800	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 4800	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 4800	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 4800	5112	RdrCEF.exe	RdrCEF.exe
PID 5112 wrote to memory of 4800	5112	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\6888360c2458d8307491410f0da87f83_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:212

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:5112

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CDAC808D8BBD8B552D75A46174B043FF --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2860

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=89F2659BC8F21D707E313F7EB7CC3F17 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=89F2659BC8F21D707E313F7EB7CC3F17 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4800

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4026085155DE28EFD05185707CCF6DC7 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:968

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E7359081332DD0C42199F27E6436A43D --mojo-platform-channel-handle=1936 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2656

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8E6B6ED97836D93802839AA513ECB317 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8E6B6ED97836D93802839AA513ECB317 --renderer-client-id=6 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2388

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=82B4B7632F813070A8F6C18A2BB08AE0 --mojo-platform-channel-handle=2416 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
96bd0ad1be40c866ee0b05f1fbf76185

SHA1
79b1efe74e0454412b83562e1894ab102bcfdb11

SHA256
112fc5a946748d0353f0bbd11103286849979eb0633815467bf753877b8e3d79

SHA512
61596594db3cb971412ee62356f768af58ab2937b3390e43c2ec549a18cf62631f4c5e12ff0799dee126307cde2c5d4928b5dd9c8814b9f09aada981d9e20db5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
737efb399eea249c97053356b2ec55b8

SHA1
7935849690ea151bb690ec4cf35128ca13e16de8

SHA256
9486145d7b6b5fdcfc250a5ba2ee7bc40ca0c0264aca40763ff744c1ec1f50f6

SHA512
80599934e27685d845479b34044f69ce42420f8c48806d01e44e80fcb0a34606e14b8f7237a8e6f9cbb477b32b79f887d42b29984c318f7db221dd93994e1d80

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads