c02cf64d9d580af1f9b575d63113b5a0012ea016c9930e7ecf7f1902afbaa8e1

General

Target

68941b5f14174985eb8018e13a0d39bc_JaffaCakes118.pdf
Size

41KB
MD5

68941b5f14174985eb8018e13a0d39bc
SHA1

7e00ff9fe64dbd34d8310c21dd7a3e59d625fdea
SHA256

c02cf64d9d580af1f9b575d63113b5a0012ea016c9930e7ecf7f1902afbaa8e1
SHA512

1ad7c8303b36ea9084ffb9c1c717894949ad0ca0b5cc80422bfcda1b0fb8bc7779809d8fbfcd77632e29dd29a1fddfc6f5dc6bf415fea9c87aa7f774ddc8ea57
SSDEEP

768:BKgGzpDbqRIhvKJk0NWNOYtsmnN/vn1PL/PqezpWgfc5l:BXGFIavynC1PL/Pjzffc5l

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1216 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1216 AcroRd32.exe
1216 AcroRd32.exe
1216 AcroRd32.exe
1216 AcroRd32.exe

pid	process
1216	AcroRd32.exe

pid	process
1216	AcroRd32.exe
1216	AcroRd32.exe
1216	AcroRd32.exe
1216	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 1216 wrote to memory of 4616	1216	AcroRd32.exe	RdrCEF.exe
PID 1216 wrote to memory of 4616	1216	AcroRd32.exe	RdrCEF.exe
PID 1216 wrote to memory of 4616	1216	AcroRd32.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 2392	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 4660	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 4660	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 4660	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 4660	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 4660	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 4660	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 4660	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 4660	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 4660	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 4660	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 4660	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 4660	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 4660	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 4660	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 4660	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 4660	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 4660	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 4660	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 4660	4616	RdrCEF.exe	RdrCEF.exe
PID 4616 wrote to memory of 4660	4616	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\68941b5f14174985eb8018e13a0d39bc_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:4616

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=619AAB218B87632ACF4F67F6046B95A9 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2392

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2A67645C94F143709FB4AB1A3374DF44 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2A67645C94F143709FB4AB1A3374DF44 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4660

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=612740C4898B6443530D4FA98F77AFBE --mojo-platform-channel-handle=1804 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4128

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1E9F30812D2163996EBE9A5A86658EB7 --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4524

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=069E429BDE888E57AD6A8B13A49E01FD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=069E429BDE888E57AD6A8B13A49E01FD --renderer-client-id=6 --mojo-platform-channel-handle=1944 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1224

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1971DFDF3D1BF0F086F1740392C23FF8 --mojo-platform-channel-handle=2680 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3528

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
2c3f9b320ecf8eb613504457960f823d

SHA1
a42fb4d3a88a504849d3978afa505b50c3fe3165

SHA256
73ce43d741090a21abb96d99ec76725e2a3186b57b15becd23ea319ed64bb25f

SHA512
0bf271cac45a01f5edb67d0819cc0e5c85e3bc26e705c52f9dfd2c852957c8d7db1a2a2aa8534f63209029a171f2ba3561561fd4b772cddfdae413e585d979e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
983a2847eb765fe6b4a1adfcf00bb692

SHA1
9b08ba33d07f3752fc3015e2e4dc869d8791b0d5

SHA256
69d1e9d239088d6a1ba7b4c3f2cb4b72eef7ef56a8fc01256b7620ac7085d077

SHA512
18108d4d083fad9f5f66385383a4ddd5464e0bd3cbe874f1eeaeec71087b2f9618d55e3e1956ece9ed545d1a05e233a5ce4fcefb3ccb454ce6193b2fc3cf0fbc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads