4db0d574c6f2564726c85cf1602a42e24d0cfa5d9b398d8c0b90948a67b3a4f6

General

Target

694f04e2dec18ab21f29f2d3ee18c55b_JaffaCakes118.pdf
Size

44KB
MD5

694f04e2dec18ab21f29f2d3ee18c55b
SHA1

12f9ab6c7e6eca9496bf21764548f943a92bbf3c
SHA256

4db0d574c6f2564726c85cf1602a42e24d0cfa5d9b398d8c0b90948a67b3a4f6
SHA512

e373747123233c955d99581a6a682829d8bd762886c2e324c3afe40c32ab10cf217da98e6da1cce44f1fbee33a789e095a68ef2770990a33f5a13d687b9ec863
SSDEEP

768:sgGzpD7E3pKF8NTxSMhUsOtbMx3DD9z2wjlegtAZLonif00p9jzcgt8hog89o:pGFvU0tsxTeg+oif0+9jogOao

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4508 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

4508 AcroRd32.exe
4508 AcroRd32.exe
4508 AcroRd32.exe
4508 AcroRd32.exe

pid	process
4508	AcroRd32.exe

pid	process
4508	AcroRd32.exe
4508	AcroRd32.exe
4508	AcroRd32.exe
4508	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4508 wrote to memory of 4628	4508	AcroRd32.exe	RdrCEF.exe
PID 4508 wrote to memory of 4628	4508	AcroRd32.exe	RdrCEF.exe
PID 4508 wrote to memory of 4628	4508	AcroRd32.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 3992	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 1544	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 1544	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 1544	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 1544	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 1544	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 1544	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 1544	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 1544	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 1544	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 1544	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 1544	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 1544	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 1544	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 1544	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 1544	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 1544	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 1544	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 1544	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 1544	4628	RdrCEF.exe	RdrCEF.exe
PID 4628 wrote to memory of 1544	4628	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\694f04e2dec18ab21f29f2d3ee18c55b_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4508

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:4628

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7047B2DE89F8DE8E60A9D71C8C78F3D0 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3992

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4A1D6DBD6FBFE964EF331B5492B2D517 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4A1D6DBD6FBFE964EF331B5492B2D517 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1544

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=493296331A4553C7F44CE7B3A1F843F6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=493296331A4553C7F44CE7B3A1F843F6 --renderer-client-id=4 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1660

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A8DC9038EEDD90CF8E1C97CFEDA74D4A --mojo-platform-channel-handle=2572 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4784

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D08D424AE68432D87DCDCFCD4CB6C9EC --mojo-platform-channel-handle=1876 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4556

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=431B67C8CB6DAED5BDD7CAFA9D9B2693 --mojo-platform-channel-handle=2880 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
d39fd65bfdd5449e2f6690705341935b

SHA1
f875397f205f29b5fadfb215e88a2f5643e5c902

SHA256
399a5ad1854a983aab3c8ff8434593637c2e75301652025b672f0cb7d3093709

SHA512
411e9200965374135a5c0a0a710bf6707788f5100a79df1bc1deffcd6d8dc062b6f868eaffad4775f5a46dbc404be07040b98786789b182910491f8df02de73f

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
6ef02ea24ea17e98b0028bbcd83b6dce

SHA1
0a483ee4499de7e3fa884c321e2d21756854f6ec

SHA256
cb94dd9cc969a4b07f846384a161454a2e16a8cefc00748cd497dbf781f9d91c

SHA512
5a16d0e197a09334a44ce743bdaf310546d10e4cb2f02a8ea92a46232aa417573389ae61370bfd903971e4fba1cf3e571c110ce5c9a0bf310e657bf1575fc745

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads