330661cbdb7166a2433b5a3d7bb45ac8961509df5962877af3a746e034bc1669

Analysis

max time kernel
129s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71a2818d87b486f40e9b5c5ebe54de5e_JaffaCakes118.pdf
Size

41KB
MD5

71a2818d87b486f40e9b5c5ebe54de5e
SHA1

cbbc465d375448c62dc7cdd29885e8e2e0152e5e
SHA256

330661cbdb7166a2433b5a3d7bb45ac8961509df5962877af3a746e034bc1669
SHA512

cfb86e225a183f96d3ad8d16e8a40d35cef9a126083b9f37877ba562aff857bf6fc915d2ad85e7932ae07aa24a6fdb283d756187bedf6067c581351da69541a9
SSDEEP

768:YgGzpDVD8a3G9gI675HypU3NfK8HmrFFIIItbml0C2XWVTvJWn46rJ8n1sLRLs:1GFBwAK8Gr7IIlVzJ4DK1sLBs

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4644	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4644	AcroRd32.exe
4644	AcroRd32.exe
4644	AcroRd32.exe
4644	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 1680	4644	AcroRd32.exe	91
PID 4644 wrote to memory of 1680	4644	AcroRd32.exe	91
PID 4644 wrote to memory of 1680	4644	AcroRd32.exe	91
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 2696	1680	RdrCEF.exe	93
PID 1680 wrote to memory of 3116	1680	RdrCEF.exe	94
PID 1680 wrote to memory of 3116	1680	RdrCEF.exe	94
PID 1680 wrote to memory of 3116	1680	RdrCEF.exe	94
PID 1680 wrote to memory of 3116	1680	RdrCEF.exe	94
PID 1680 wrote to memory of 3116	1680	RdrCEF.exe	94
PID 1680 wrote to memory of 3116	1680	RdrCEF.exe	94
PID 1680 wrote to memory of 3116	1680	RdrCEF.exe	94
PID 1680 wrote to memory of 3116	1680	RdrCEF.exe	94
PID 1680 wrote to memory of 3116	1680	RdrCEF.exe	94
PID 1680 wrote to memory of 3116	1680	RdrCEF.exe	94
PID 1680 wrote to memory of 3116	1680	RdrCEF.exe	94
PID 1680 wrote to memory of 3116	1680	RdrCEF.exe	94
PID 1680 wrote to memory of 3116	1680	RdrCEF.exe	94
PID 1680 wrote to memory of 3116	1680	RdrCEF.exe	94
PID 1680 wrote to memory of 3116	1680	RdrCEF.exe	94
PID 1680 wrote to memory of 3116	1680	RdrCEF.exe	94
PID 1680 wrote to memory of 3116	1680	RdrCEF.exe	94
PID 1680 wrote to memory of 3116	1680	RdrCEF.exe	94
PID 1680 wrote to memory of 3116	1680	RdrCEF.exe	94
PID 1680 wrote to memory of 3116	1680	RdrCEF.exe	94

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\71a2818d87b486f40e9b5c5ebe54de5e_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=357FA5AC800B90D23FDE40E4A75BDA51 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2696
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CCF2D1DB501DDB0CC7FD3B26D885DAF8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CCF2D1DB501DDB0CC7FD3B26D885DAF8 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3116
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=99D52E4DE14AAF7615D90E4E46E23B5A --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4380
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=72EFEA787BC16B44BA13ADE74E58F21B --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1704
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C222AC60056D45C5A623A1C36548E583 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C222AC60056D45C5A623A1C36548E583 --renderer-client-id=6 --mojo-platform-channel-handle=1956 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1796
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A54D2A593130B2FF779AA4773A2006F0 --mojo-platform-channel-handle=2880 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
476464730ad124d8e1bb49ac2fae834b

SHA1
814f29af04adedfc382194cf8782793b130064ae

SHA256
bae0bac0b41451d893049204295c676f0279db59ce9c76905364a208e321e0dc

SHA512
35492f0a68444928e60322c5afdec82aa63aee5fd4aace2d4d740a9f7aea39e4bfb6b2328aaa3a372ae604e3564981ebd49c38e2712b7121952ce5b8e7feec8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
ee157c07d868999aab5b29a9d38592cb

SHA1
a4eea877ac84cd41b9076c0ac9a7115fb316e37f

SHA256
1aef1c2b757995bca747e7e321f32339f99432abaf96c13138b82227674bad09

SHA512
3117411ac6a4bcc2198a52801ec78a10b1bfac1d57905432e376f3d8a45367f8e5dabaaebc3e8995cc611c7772bcd6a7a05f5b65dfa2410dc7ce75b7c5dfb6bf

Download Submit