66c1ed319be83dd0b8de4faaf333c8c0b5573d4bc2ad30ba5022d9eee52fbfc3

Analysis

max time kernel
130s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77b7b3fea776cac3ebc7c75bbdba73b0_JaffaCakes118.pdf
Size

95KB
MD5

77b7b3fea776cac3ebc7c75bbdba73b0
SHA1

d1be63a4f3d349110c48f86090dcee59f8db6a97
SHA256

66c1ed319be83dd0b8de4faaf333c8c0b5573d4bc2ad30ba5022d9eee52fbfc3
SHA512

7be24c51e972ccea34477e29547173792476fdb2ffcfa152c33f2588da10156fd1f94df28b05e3a0983cc831eb189fdb64db05c2896babd1e996969a2345cc01
SSDEEP

1536:WGFiWuhLKC0+Y8yNlM6UE3qVkrfEB4OcNqXKLDd/9JCpcFgy2soEaBkvc/THYnTu:vFiWulhmNlOEPEB+RDd/9J9FgtT8qTMu

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
548	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
548	AcroRd32.exe
548	AcroRd32.exe
548	AcroRd32.exe
548	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 3672	548	AcroRd32.exe	95
PID 548 wrote to memory of 3672	548	AcroRd32.exe	95
PID 548 wrote to memory of 3672	548	AcroRd32.exe	95
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 1612	3672	RdrCEF.exe	98
PID 3672 wrote to memory of 2192	3672	RdrCEF.exe	99
PID 3672 wrote to memory of 2192	3672	RdrCEF.exe	99
PID 3672 wrote to memory of 2192	3672	RdrCEF.exe	99
PID 3672 wrote to memory of 2192	3672	RdrCEF.exe	99
PID 3672 wrote to memory of 2192	3672	RdrCEF.exe	99
PID 3672 wrote to memory of 2192	3672	RdrCEF.exe	99
PID 3672 wrote to memory of 2192	3672	RdrCEF.exe	99
PID 3672 wrote to memory of 2192	3672	RdrCEF.exe	99
PID 3672 wrote to memory of 2192	3672	RdrCEF.exe	99
PID 3672 wrote to memory of 2192	3672	RdrCEF.exe	99
PID 3672 wrote to memory of 2192	3672	RdrCEF.exe	99
PID 3672 wrote to memory of 2192	3672	RdrCEF.exe	99
PID 3672 wrote to memory of 2192	3672	RdrCEF.exe	99
PID 3672 wrote to memory of 2192	3672	RdrCEF.exe	99
PID 3672 wrote to memory of 2192	3672	RdrCEF.exe	99
PID 3672 wrote to memory of 2192	3672	RdrCEF.exe	99
PID 3672 wrote to memory of 2192	3672	RdrCEF.exe	99
PID 3672 wrote to memory of 2192	3672	RdrCEF.exe	99
PID 3672 wrote to memory of 2192	3672	RdrCEF.exe	99
PID 3672 wrote to memory of 2192	3672	RdrCEF.exe	99

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\77b7b3fea776cac3ebc7c75bbdba73b0_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:548
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=98908E064F3C781FECCE40E72C8EE03B --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1612
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=435D1DF0E564C146094E3F0C328CC1CA --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=435D1DF0E564C146094E3F0C328CC1CA --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2192
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=13E8D067951464CCEEFAD9433A7B09B2 --mojo-platform-channel-handle=1844 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2644
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F40734BEFBF3D494BC28856AFBBA1895 --mojo-platform-channel-handle=1892 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3380
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AAAB205EDBFA651ECEDA6133969A3C6D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AAAB205EDBFA651ECEDA6133969A3C6D --renderer-client-id=6 --mojo-platform-channel-handle=2352 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3960
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E6DE1E90B827182595BC7097FD8664E2 --mojo-platform-channel-handle=2768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
a0d1a2e1d0a59485add034722e9da7a9

SHA1
46202def5343fa509f990ce7a3ef12742de9ad19

SHA256
2e56944f75af50773f9540b4245e834537a0927a94f4561d86caadd5248268b0

SHA512
dd0e6dae5ba170649a14b4deab52234a79bdab342829ce1b81b36c1d5d49be57fe08524aeb0cec28d45cd25e883e6a39be0ca856c55cd440198072b4f577e6d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
2aeae17fdc47ba6e7ec07ad5c603c405

SHA1
ef7f511a0031936e440f705491e2ede430ad709f

SHA256
39d904b40e9c57383aeb4901fdfc553ebacac16955607b641acc20dcb9e6dfe7

SHA512
6ebdf11f76d23ee2dd7c0f0af437f7dcbdd501bc5d12c3cba33062021ef00d58848de995b30eac1e90d8d65530314809a317327d97d545b8a8c18b89598e5a4e

Download Submit