3149f420ced35d4b366228dfb3fb4347595be080b85a85c1b1e6cd19255af781

Analysis

max time kernel
133s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7004814805788e8e98b5c68f49c79b63_JaffaCakes118.pdf
Size

53KB
MD5

7004814805788e8e98b5c68f49c79b63
SHA1

77fa4f5fbe96bb9fd73280ffe947835beff3a1bc
SHA256

3149f420ced35d4b366228dfb3fb4347595be080b85a85c1b1e6cd19255af781
SHA512

1c1f412556be78c2e8c293023bcf427fa39091d1354129199c122c13e5aa5bbc06b6063a68a0bf4230a3a4838ae73dd0eafbb49e22d901303284d21b131e86c5
SSDEEP

1536:syUg7BjBSlCQWErOp68Y/u5pFEODQSauF/2iJcbb1G/gLRZmnux5nWcgEUHdQIvU:f7BVmCQxrV/uHFEHZueOOJ8SXs+VTL+g

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4988	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4988	AcroRd32.exe
4988	AcroRd32.exe
4988	AcroRd32.exe
4988	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 4548	4988	AcroRd32.exe	91
PID 4988 wrote to memory of 4548	4988	AcroRd32.exe	91
PID 4988 wrote to memory of 4548	4988	AcroRd32.exe	91
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 1648	4548	RdrCEF.exe	93
PID 4548 wrote to memory of 4400	4548	RdrCEF.exe	94
PID 4548 wrote to memory of 4400	4548	RdrCEF.exe	94
PID 4548 wrote to memory of 4400	4548	RdrCEF.exe	94
PID 4548 wrote to memory of 4400	4548	RdrCEF.exe	94
PID 4548 wrote to memory of 4400	4548	RdrCEF.exe	94
PID 4548 wrote to memory of 4400	4548	RdrCEF.exe	94
PID 4548 wrote to memory of 4400	4548	RdrCEF.exe	94
PID 4548 wrote to memory of 4400	4548	RdrCEF.exe	94
PID 4548 wrote to memory of 4400	4548	RdrCEF.exe	94
PID 4548 wrote to memory of 4400	4548	RdrCEF.exe	94
PID 4548 wrote to memory of 4400	4548	RdrCEF.exe	94
PID 4548 wrote to memory of 4400	4548	RdrCEF.exe	94
PID 4548 wrote to memory of 4400	4548	RdrCEF.exe	94
PID 4548 wrote to memory of 4400	4548	RdrCEF.exe	94
PID 4548 wrote to memory of 4400	4548	RdrCEF.exe	94
PID 4548 wrote to memory of 4400	4548	RdrCEF.exe	94
PID 4548 wrote to memory of 4400	4548	RdrCEF.exe	94
PID 4548 wrote to memory of 4400	4548	RdrCEF.exe	94
PID 4548 wrote to memory of 4400	4548	RdrCEF.exe	94
PID 4548 wrote to memory of 4400	4548	RdrCEF.exe	94

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7004814805788e8e98b5c68f49c79b63_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E173620649C272934B2D86D3BC10929A --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1648
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8EAE7D9EF90F11295F8DECC6699E33EE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8EAE7D9EF90F11295F8DECC6699E33EE --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4400
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=265513B54D929B910A2E2230126113E3 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1488
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0866A2FC13E4414758A6CC117390FEF4 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0866A2FC13E4414758A6CC117390FEF4 --renderer-client-id=5 --mojo-platform-channel-handle=1816 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2136
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=407A67F6041E624182A48B4C7421D3DA --mojo-platform-channel-handle=2672 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2688
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=682ED64C90B3550CEB41A6B4C19BEAE9 --mojo-platform-channel-handle=2416 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
fb6188ad95fe48e8bd4c88446b202ac4

SHA1
3d33bb2399adaece317ecf27ede4bd77f6919120

SHA256
a8d8e2ee970197b190bd2ef153f2498e5a606b76b5eb8f3a73582d8eddb3df39

SHA512
b6776cb030002594d49b014ba5b0afc359773ee7f836c23ca6c1eb9afdaaa35f9dec7c6db6ecbcfeea980cc685aa31ab34cc2e34cb11d8ad8d0ca663b57375ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
9308e8246b448e83dc1edd147cec7c18

SHA1
ca97b48f97654f594b221db60d7c29fa1f5bc200

SHA256
340b87cd208ab46f611d04eabebf38e271d2c4eeafabc471bf28e577fabb8d9d

SHA512
5b3e3c91e3e330e77a9c17974686febd1ef5d9c2970872a13af7b5e3cd0d30450e75654d9135a0f930f9f5b897e1d491bc2cad9cd96581f1016bab3a587ecb08

Download Submit