f97bbed3492ce79604bc6a933dfda59dad3cf8c1f88fe1cfbfaf5ab7555381d7

General

Target

69586cb01d8f37e59918b15cdf2b31be_JaffaCakes118.pdf
Size

78KB
MD5

69586cb01d8f37e59918b15cdf2b31be
SHA1

a87faf98b1a3d07443ba45a7bab5f39c03f13efa
SHA256

f97bbed3492ce79604bc6a933dfda59dad3cf8c1f88fe1cfbfaf5ab7555381d7
SHA512

ecca35ebcd14cb7fe7f0b3947a311ef3f58222ecd3d0ecf409880cd061cd8d6c5e85987fb21b88dfd0182af824b4984e8234b7c160124eeee012f4e5ba3ba2e7
SSDEEP

1536:HC1UVy+l6JOme4T1CFnBYJSS+CAaOBIQZPsqJev8q2Oay/1Lhb2m1AsZpiErW4mq:HC1EJQkJeYlK4FPNCUECAzRttlqq1ZpF

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4200 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

4200 AcroRd32.exe
4200 AcroRd32.exe
4200 AcroRd32.exe
4200 AcroRd32.exe

pid	process
4200	AcroRd32.exe

pid	process
4200	AcroRd32.exe
4200	AcroRd32.exe
4200	AcroRd32.exe
4200	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4200 wrote to memory of 4772	4200	AcroRd32.exe	RdrCEF.exe
PID 4200 wrote to memory of 4772	4200	AcroRd32.exe	RdrCEF.exe
PID 4200 wrote to memory of 4772	4200	AcroRd32.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 4332	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 1896	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 1896	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 1896	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 1896	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 1896	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 1896	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 1896	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 1896	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 1896	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 1896	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 1896	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 1896	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 1896	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 1896	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 1896	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 1896	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 1896	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 1896	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 1896	4772	RdrCEF.exe	RdrCEF.exe
PID 4772 wrote to memory of 1896	4772	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\69586cb01d8f37e59918b15cdf2b31be_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4200

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:4772

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=691A125247BFFC17F59808CE4D017387 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4332

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9970A088490E116D6E571A52B97F6616 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9970A088490E116D6E571A52B97F6616 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1896

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=89861020C2B1928EBB8F9B6070CFF1DE --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2316

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=54A70F523F1BAE6B328D4B8A3E995D91 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=54A70F523F1BAE6B328D4B8A3E995D91 --renderer-client-id=5 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3632

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EF4ECCCBCBAB88ABCFBE486483C944F9 --mojo-platform-channel-handle=2676 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3248

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=898167D70C53BF35C10044611DA7E1A9 --mojo-platform-channel-handle=2752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
8f921cfee04532bebc41b182cec87dd9

SHA1
9338d512066d8eabb2372ecf1a36f2d052f20475

SHA256
2ef6381178c0a88c425e17927b80412ea1c98857994410dc8a53c6b93665cb4e

SHA512
8142169f78e92951b95bbe84eb27d6199490974a24ed262f20daa00fadcb3d48c1ae8f75c5493e4af29e80b247455c1ecf3f9bb48e36d77bfebae1963166b2e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
c1bf9d239874e1f1420c24b3211b7acd

SHA1
a2605a5332ac7c9616a6928a7778b50c82dd938a

SHA256
8daa0e685f9bb2e2af83f49979992f5024b48ac15ebddca468bc2ccb7ca10c4a

SHA512
876d78c7131b2d39054653ecc970e3eb80fb4e3b5bff1f4cb9d8c3d9e7ab0cb72498c9faeee917f3fa8b965ca0f5a290478af429ae74fa68c84af5c33b2045bb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads