244aed75c49ca1e9b7d3591817bf7aa6e5c32b41c9229d3e6130ca8f096373d1

General

Target

689880de70489baca461a51e935c7c75_JaffaCakes118.pdf
Size

48KB
MD5

689880de70489baca461a51e935c7c75
SHA1

4375e7a2989808d709b5c4a8a8558a51baee5149
SHA256

244aed75c49ca1e9b7d3591817bf7aa6e5c32b41c9229d3e6130ca8f096373d1
SHA512

c9444771a7d6119bce40fb831ec17db8ae4cf33043872fb89fe6ea81a6b3f3133bc0cdf05886e7c635bf6b9d6dfbbc3e3d8a0925e3dce8ed11c3dad64cfc455d
SSDEEP

768:VgGzpDUpAx3cia/QxbH1E8UNE/Kv1cwYHDNrUoKhFCwAtQXcuWRh81b:GGFYpAxsvQxnhKhFCwOQXH8h81b

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1804 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1804 AcroRd32.exe
1804 AcroRd32.exe
1804 AcroRd32.exe
1804 AcroRd32.exe

pid	process
1804	AcroRd32.exe

pid	process
1804	AcroRd32.exe
1804	AcroRd32.exe
1804	AcroRd32.exe
1804	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 1804 wrote to memory of 3228	1804	AcroRd32.exe	RdrCEF.exe
PID 1804 wrote to memory of 3228	1804	AcroRd32.exe	RdrCEF.exe
PID 1804 wrote to memory of 3228	1804	AcroRd32.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1448	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1304	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1304	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1304	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1304	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1304	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1304	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1304	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1304	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1304	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1304	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1304	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1304	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1304	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1304	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1304	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1304	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1304	3228	RdrCEF.exe	RdrCEF.exe
PID 3228 wrote to memory of 1304	3228	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\689880de70489baca461a51e935c7c75_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=21EA91E7BC623465740A4576F9C5607B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=21EA91E7BC623465740A4576F9C5607B --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1448
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=477149EA667B8B2970A1E561FF079E61 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1304
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=82FA26316323337AF262EEB6B0575FEE --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2604
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3B89A692691C4D45F36F2763D10F436C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3B89A692691C4D45F36F2763D10F436C --renderer-client-id=5 --mojo-platform-channel-handle=1964 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4768
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E0125666D5DC903D4920CA5AE57B46B7 --mojo-platform-channel-handle=2696 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4132
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6F595A7DAAAF08870D25D90838F0325D --mojo-platform-channel-handle=2360 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
eba86ca268332025f6a2b86d680533fa

SHA1
74c63f6a922086687191e28973533e61372a39f2

SHA256
81e7584d3a91719fc8df70ef93a631d12603cac3adeeea54151a0d240f556184

SHA512
4abec9e7067f0341e92d347cf3c9373089648b8e580816f8cbf7adeedb65127be08e1e41f394c4b89dc4c6062f70a993036a8aa32d89dfe5d0f97e259834309b

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
8664a757db32c08729b0e68917f28d10

SHA1
38f3a9ede8489964cf0ec89ab0a82287e72226ba

SHA256
0d5a11625eabeb19529d725866adca48a9fe6592b69e3716b95dd62fb149efed

SHA512
7f1eb1bf0d836721796295ef3c0bdf69329745f27ea7b9eb0e828859b408cd5e4d0a2deefed78f48fd1b67c683117dcc2393324405499d21bfc56c6899830d37

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads