955a9cbc50ab38cc995903f2655205f122c9086a0d55e6f695b1e264db2e498d

General

Target

6949c65f96849cac6def63211158cc45_JaffaCakes118.pdf
Size

58KB
MD5

6949c65f96849cac6def63211158cc45
SHA1

20b12fb79b3a047df7822fd62b5cb0f5b527581f
SHA256

955a9cbc50ab38cc995903f2655205f122c9086a0d55e6f695b1e264db2e498d
SHA512

ad56f0709a00d0061095cd735207fa971bdef0f934c3f7c9d34dcac96e65ece3c0b59b77117df01de0d67e668d357bbef266fbbe4b17de37ebdc1620c92bc52c
SSDEEP

1536:JGFmWY2ctQxajIHd6gP3se3CsvgbWJl2CJa:cFmWY6MQd6gP73Vvgc2l

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3300 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

3300 AcroRd32.exe
3300 AcroRd32.exe
3300 AcroRd32.exe
3300 AcroRd32.exe

pid	process
3300	AcroRd32.exe

pid	process
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe
3300	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3300 wrote to memory of 4540	3300	AcroRd32.exe	RdrCEF.exe
PID 3300 wrote to memory of 4540	3300	AcroRd32.exe	RdrCEF.exe
PID 3300 wrote to memory of 4540	3300	AcroRd32.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1160	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1536	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1536	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1536	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1536	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1536	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1536	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1536	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1536	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1536	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1536	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1536	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1536	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1536	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1536	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1536	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1536	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1536	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1536	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1536	4540	RdrCEF.exe	RdrCEF.exe
PID 4540 wrote to memory of 1536	4540	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\6949c65f96849cac6def63211158cc45_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3300

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:4540

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EA4AA3EBC6848A9927BA98A2672AEF90 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1160

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BDA392EC46D75F64F07EA90B425513EF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BDA392EC46D75F64F07EA90B425513EF --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1536

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=253A6960C58CC592B949C896B3F65EFA --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1220

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6491F72AE9B21D6C860372D80E746E84 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6491F72AE9B21D6C860372D80E746E84 --renderer-client-id=5 --mojo-platform-channel-handle=2356 --allow-no-sandbox-job /prefetch:1
3⤵
PID:784

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8728D67C8212E00EED1752D751411EA9 --mojo-platform-channel-handle=2680 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:5044

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EE6C928B4CD1E63C22E470FF3D200510 --mojo-platform-channel-handle=2924 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2388

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
2a17d9be4939be6e95552da9acf45324

SHA1
94c0163be596bb0204378208de743907ed9e0cd0

SHA256
284847fac98d4febb18e9627cf1275e9bf7d66bbe88d2d1db7fcb8f4b9d2f30a

SHA512
02dcb74c8161185e5f55202436616c966f6669619b5dda986c6a197eedff78baa1e2b15ae11988b62195603470f085c789f8ea9f1190c6fdc2d8015dae59dd43

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
66114c53121fe6eacdbc2a68d83d26c5

SHA1
71a495c33d51e100d76682a1868d960b6f8aac2b

SHA256
4f615147b0b0bdaec6ab5e68c5250127b5cd814b6449e2806a6e800a592df4e7

SHA512
c845f92654c6f24ddb774467a99f26f13ffe3dd9ae12e283c0da5f90a4921153f7cbcf81edc33c409bd61ef5b26451d2ac189def501a9685bc9a1691903b41aa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads