72ddfd11363e98401749e940e16e991d345f30731a235fd42ab414fa4e51dbc9

General

Target

6939dce09b89da6745beb9cbb84875da_JaffaCakes118.pdf
Size

139KB
MD5

6939dce09b89da6745beb9cbb84875da
SHA1

28b3c4dcba47bbd6244992de4641e58ece24ecd1
SHA256

72ddfd11363e98401749e940e16e991d345f30731a235fd42ab414fa4e51dbc9
SHA512

460408eaa35e4c97aa43dd3468a9fba4b1147d22f026711e0f171594760db2191b3b88db3ccbb6e2368d072958230999fcca020dcd71affbcbbc549fbcab97dd
SSDEEP

3072:pysPq3XM4PH7e8SqsFJyNJV96y/0ZhtDXBunMAhy3CfTWGOWbR3tOJHas7TO:h4PH312yGhDudhuiTWGOGR9l

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

772 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

772 AcroRd32.exe
772 AcroRd32.exe
772 AcroRd32.exe
772 AcroRd32.exe

pid	process
772	AcroRd32.exe

pid	process
772	AcroRd32.exe
772	AcroRd32.exe
772	AcroRd32.exe
772	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 772 wrote to memory of 1612	772	AcroRd32.exe	RdrCEF.exe
PID 772 wrote to memory of 1612	772	AcroRd32.exe	RdrCEF.exe
PID 772 wrote to memory of 1612	772	AcroRd32.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 3824	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 640	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 640	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 640	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 640	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 640	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 640	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 640	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 640	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 640	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 640	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 640	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 640	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 640	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 640	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 640	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 640	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 640	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 640	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 640	1612	RdrCEF.exe	RdrCEF.exe
PID 1612 wrote to memory of 640	1612	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\6939dce09b89da6745beb9cbb84875da_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:772

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5482E913086AFC45611EFA54519E7D5A --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3824

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2362FBEDACC0C5A31A8519CB69C5A664 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2362FBEDACC0C5A31A8519CB69C5A664 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
3⤵
PID:640

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=74EC2B0BFB5EFB247B40B4724E9D4816 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1556

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5AF86B782F067EB3F692D212409E8877 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5AF86B782F067EB3F692D212409E8877 --renderer-client-id=5 --mojo-platform-channel-handle=1856 --allow-no-sandbox-job /prefetch:1
3⤵
PID:60

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=168868BCF34A26798629F4E829F24585 --mojo-platform-channel-handle=2796 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4804

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E1D21B23E7C0C672A66B0EAF114E3D2B --mojo-platform-channel-handle=2108 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
8f22bbbcc99c65b2bb352f1c22de0782

SHA1
eadb48db958a9315d2b0d9f0390e997b72d31d8b

SHA256
444c146c601a3c5d54f62604d76b3856495c3da9792030afe7a7bea99f09b282

SHA512
75cb0646285e1dc0589bd338d6557f969d694cd0207125af38d324d21e7866f17dc9bf93ad874c9896980cabd67172217b7aa553448c9a705278d8df21b8a4b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
7a711409e6e343f454abd3503556041f

SHA1
c9095b31d10a029f5e0df24c0758e097dbaf54f3

SHA256
148d4453d0cfb35a46195792b64e2ff475603015e55a92cb2e8c3908d42f9d88

SHA512
99172dfd016cb240136f258096389840c860a023c0aacf9da906d61f5440139ea19908064b688aca555b5a258cc25d5206aee12ac12e8d6cbb90325cafd49618

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads