ded83e3c5ad79921d2cf20cfa767cfdd995bad04d94ddcfc38675730a064dbc1

General

Target

6949158a6815f2b408f88e513969d114_JaffaCakes118.pdf
Size

40KB
MD5

6949158a6815f2b408f88e513969d114
SHA1

2ccee93cbafdff72ed62219d165434609eba1b68
SHA256

ded83e3c5ad79921d2cf20cfa767cfdd995bad04d94ddcfc38675730a064dbc1
SHA512

283c4db60d74dd2f5c2451d39b02882872318affe9fb4a1a0f86813963cb524702897597b1baaa7afa05ca1c53a171296b3c962ae042f169ab59cca5df4303a5
SSDEEP

768:JgGzpDqpljt8o7+0mSzd8RNCLdVSveicC1SfaB+QptzAdxocQTHTzX6kPuGIUQ8:qGFmplQ0MNCZVSGic/SscAMcQDTzX6kh

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4216 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

4216 AcroRd32.exe
4216 AcroRd32.exe
4216 AcroRd32.exe
4216 AcroRd32.exe

pid	process
4216	AcroRd32.exe

pid	process
4216	AcroRd32.exe
4216	AcroRd32.exe
4216	AcroRd32.exe
4216	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4216 wrote to memory of 1244	4216	AcroRd32.exe	RdrCEF.exe
PID 4216 wrote to memory of 1244	4216	AcroRd32.exe	RdrCEF.exe
PID 4216 wrote to memory of 1244	4216	AcroRd32.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 4148	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 2256	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 2256	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 2256	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 2256	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 2256	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 2256	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 2256	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 2256	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 2256	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 2256	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 2256	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 2256	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 2256	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 2256	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 2256	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 2256	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 2256	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 2256	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 2256	1244	RdrCEF.exe	RdrCEF.exe
PID 1244 wrote to memory of 2256	1244	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\6949158a6815f2b408f88e513969d114_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4216

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1B5B0B72D2CCDE1C54F719B119D009DC --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4148

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B3CEB1758E9E34B9C1761F0B800A0F39 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B3CEB1758E9E34B9C1761F0B800A0F39 --renderer-client-id=2 --mojo-platform-channel-handle=1808 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2256

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9319768A5EAAF41C6D938667ABD7447A --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4252

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9FA3E98D013815ED62FAFAAB3F6CD1E9 --mojo-platform-channel-handle=2408 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3272

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EBDE38B24C9828559BC452DFB7B465A0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EBDE38B24C9828559BC452DFB7B465A0 --renderer-client-id=6 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3076

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AB77E3EDC33E60F0C8C2297CC4B91267 --mojo-platform-channel-handle=2740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
afa3aba185eda9f335840755b2896902

SHA1
d8120714e5c8cb24d887c2c34ad8f063fa748c04

SHA256
4282522d190403f72705fa9de09742932e14ce5fe1dcd7d036d2e14305a0efb8

SHA512
a136e2bef4263d841ff43d521487e0a321bc7e89218ff16c8371ba73ffc06ad1a7729917b9b9981bc325aa143b14d1346a28e1ef4ee69df978047f1ee8470176

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
b69ddf5e1629cd19063c46c9a6fbaf84

SHA1
bc469ed235b746e692eaaf13e5413aad3c4f0b6a

SHA256
ed4b07dc93a3785517d0c6a44c3de84907bf7810f5d9e9defbfe2303af311e1e

SHA512
37ceb9b7364283ccd53473653ed651af1adc0443404f872cd4b7f01c52358c44a5db9fe7da2e458d63fd6a50076750149c6ebc4da01e3be1596312106755e34f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads