c04c03a7ee48f049b11d254205186e24e7caea12ae7da00f61a9b615a82abd8e

General

Target

6938e35a34a29dd7e0eb89e13aa78c4b_JaffaCakes118.pdf
Size

48KB
MD5

6938e35a34a29dd7e0eb89e13aa78c4b
SHA1

00dc20d6ccda671f7ac6564151427de97467762c
SHA256

c04c03a7ee48f049b11d254205186e24e7caea12ae7da00f61a9b615a82abd8e
SHA512

2eca403bd1ae283589ea184113806c81b5d2e83f43c2e5c796f76e5c72657f74ccd2467d0fc4c99112136e2a5573e1859c979bf74b270272503a31fa755e6480
SSDEEP

1536:UXFZmGWSU1dAODTRtyR3T7+zooP7G0w9Pmp+tQeWpOB5FtS:CysUT9iW++mB5C

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4028 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

4028 AcroRd32.exe
4028 AcroRd32.exe
4028 AcroRd32.exe
4028 AcroRd32.exe

pid	process
4028	AcroRd32.exe

pid	process
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe
4028	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4028 wrote to memory of 2828	4028	AcroRd32.exe	RdrCEF.exe
PID 4028 wrote to memory of 2828	4028	AcroRd32.exe	RdrCEF.exe
PID 4028 wrote to memory of 2828	4028	AcroRd32.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 448	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 3304	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 3304	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 3304	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 3304	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 3304	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 3304	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 3304	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 3304	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 3304	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 3304	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 3304	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 3304	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 3304	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 3304	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 3304	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 3304	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 3304	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 3304	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 3304	2828	RdrCEF.exe	RdrCEF.exe
PID 2828 wrote to memory of 3304	2828	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\6938e35a34a29dd7e0eb89e13aa78c4b_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3D25B5CAAAB8440528263B1673C96B29 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:448

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E6A6F01F440D7680A1F01143D6CF518D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E6A6F01F440D7680A1F01143D6CF518D --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3304

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D222B4DF9250ABCE9C98A4B8B58FDF76 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:960

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5CB8F707C010D9E21A274B6D3524DD0C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5CB8F707C010D9E21A274B6D3524DD0C --renderer-client-id=5 --mojo-platform-channel-handle=1796 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1916

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D7C5D61B923193B428EF9F6C76F26BFE --mojo-platform-channel-handle=2436 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1644

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4DEBFF492FB80FA187780119839E1D4D --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
d063f87724a0d1341dd2d077e5615520

SHA1
941b46a9306c65364066be554009417b120cd47b

SHA256
8c17cf29a3c43ca9eea98409ad2ad0480f90bb80a7855d9cb10bd325c6fd001d

SHA512
6ca1f84707ffaaf15befa6ce370d09d5b557781fddb1e5a61907ca41febe915366dcb234339e1aab2b77d110646197b0a717caa4a759592073b61216bc58040a

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
8cab82de6bc2d1c55992d0fa8ee7e1e6

SHA1
2486743f7996beae326ad0b899ed23fe0890d08d

SHA256
083c4f5eaa8013b31dac840e2444849359024bf08e39d4381056e47b9f54ac7a

SHA512
85913565e35a3ed453fc9492c911dbb4d8d124c235780beca3d8288ba99da066599e70e318dbca7b2f4d6dc8ba2259fed1e8d54c4d6b6c6a52fd231948590fc5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads