77c081c4a4c21007656f6c1aced656ea40abe781ac9fa473d1949e00c651b133

General

Target

69403f50d7a1d9774d63df249f93a604_JaffaCakes118.pdf
Size

22KB
MD5

69403f50d7a1d9774d63df249f93a604
SHA1

c4ee9c573b3183307b525b491aa5c77d2e003cd7
SHA256

77c081c4a4c21007656f6c1aced656ea40abe781ac9fa473d1949e00c651b133
SHA512

cd50d43f9dfe1b61cad419183eee5a2c5fec35b45802c647d0fe7f7975e8f974edc7814cb900c8a70425ffccd7d5681c589921af5682a5916e6216e5de09649c
SSDEEP

384:y/QON8MUG6Qgw0JZCTzz02YFnarXWgE5HPBxiZANdXWfvwXAK6OQmiKaM+0VHNtM:yXuMZmwgCLWar/E5HpxBrXmow33J5BgI

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exe

pid process

3568 AcroRd32.exe
3568 AcroRd32.exe
3568 AcroRd32.exe
3568 AcroRd32.exe
3568 AcroRd32.exe

pid	process
3568	AcroRd32.exe
3568	AcroRd32.exe
3568	AcroRd32.exe
3568	AcroRd32.exe
3568	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3568 wrote to memory of 1792	3568	AcroRd32.exe	RdrCEF.exe
PID 3568 wrote to memory of 1792	3568	AcroRd32.exe	RdrCEF.exe
PID 3568 wrote to memory of 1792	3568	AcroRd32.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 2668	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 896	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 896	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 896	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 896	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 896	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 896	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 896	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 896	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 896	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 896	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 896	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 896	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 896	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 896	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 896	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 896	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 896	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 896	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 896	1792	RdrCEF.exe	RdrCEF.exe
PID 1792 wrote to memory of 896	1792	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\69403f50d7a1d9774d63df249f93a604_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3568

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=36A091D439824495E44335FE0B03FFAA --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2668

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F317B0628ED07EA130E744B607FA2733 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F317B0628ED07EA130E744B607FA2733 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
3⤵
PID:896

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=288D3DA8B735C71B2562D7138FCD4537 --mojo-platform-channel-handle=2288 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3000

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=144BF091454EA13AEFFEE877E127B56C --mojo-platform-channel-handle=2420 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4696

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0AFB9F827C02DD9E1C20018DF047C382 --mojo-platform-channel-handle=2336 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
e7980d7d06cba6124cabf3995cb47a8c

SHA1
b0508175e439acfb66240ad7332010d3d79f4246

SHA256
8dcf3982f92bf6dcda1fe5abde2ce832325a58e5417557f9d19eea6686fb01ed

SHA512
249c9ac7aedeedaa95ae54814a1d82f7097b7ee1c6623b77279a370129cd74477fd7867214d1dab61d174d088e9ea8db7a3a753a37e1bdb1c6d3980446c7eea7

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
f9415bfd3c8d20c3c9ab20b9c6045049

SHA1
da32ca1680f485ca6c237becec09f2d81c543efb

SHA256
624301f28f4b53f068e7ac59cf7aa5c538c40a4fde55f3d1fa4ef337a7201b6e

SHA512
4f6775941eedb708ff0846869d92f0122abd625a9082cf9a8e575a3594ac0725a2470a8445fe15f01b7c27556dc91d91e13c77594ac5ccdd0705abfba56d1c9f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads