3ccea456ad505d55e1a7b154c723f7e525a3a3ea2efd632875d0099482b824be

Analysis

max time kernel
131s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78fe1aa2dc1a9d82e3bf8ce3b78cdd77_JaffaCakes118.pdf
Size

24KB
MD5

78fe1aa2dc1a9d82e3bf8ce3b78cdd77
SHA1

869da895e9d16d5a088d7dfae7d7038f4ded7d4d
SHA256

3ccea456ad505d55e1a7b154c723f7e525a3a3ea2efd632875d0099482b824be
SHA512

5ec2e99eb17644e2d5f9d518d062bcf45218169b151d93deed6a2fbd2bee8481ff46804c27af41a147dd414ad0ab35626b8995eeb86a92e60a1cdf4ab6545e9f
SSDEEP

768:VziEm9z1Xm6uBCFDHyExZkJlNwdFop8kfGuGSdMAd1PF1QdRevp0GiRQnv5:LK+EkbQ6/Th

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1772	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1772	AcroRd32.exe
1772	AcroRd32.exe
1772	AcroRd32.exe
1772	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1940	1772	AcroRd32.exe	95
PID 1772 wrote to memory of 1940	1772	AcroRd32.exe	95
PID 1772 wrote to memory of 1940	1772	AcroRd32.exe	95
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3552	1940	RdrCEF.exe	96
PID 1940 wrote to memory of 3544	1940	RdrCEF.exe	97
PID 1940 wrote to memory of 3544	1940	RdrCEF.exe	97
PID 1940 wrote to memory of 3544	1940	RdrCEF.exe	97
PID 1940 wrote to memory of 3544	1940	RdrCEF.exe	97
PID 1940 wrote to memory of 3544	1940	RdrCEF.exe	97
PID 1940 wrote to memory of 3544	1940	RdrCEF.exe	97
PID 1940 wrote to memory of 3544	1940	RdrCEF.exe	97
PID 1940 wrote to memory of 3544	1940	RdrCEF.exe	97
PID 1940 wrote to memory of 3544	1940	RdrCEF.exe	97
PID 1940 wrote to memory of 3544	1940	RdrCEF.exe	97
PID 1940 wrote to memory of 3544	1940	RdrCEF.exe	97
PID 1940 wrote to memory of 3544	1940	RdrCEF.exe	97
PID 1940 wrote to memory of 3544	1940	RdrCEF.exe	97
PID 1940 wrote to memory of 3544	1940	RdrCEF.exe	97
PID 1940 wrote to memory of 3544	1940	RdrCEF.exe	97
PID 1940 wrote to memory of 3544	1940	RdrCEF.exe	97
PID 1940 wrote to memory of 3544	1940	RdrCEF.exe	97
PID 1940 wrote to memory of 3544	1940	RdrCEF.exe	97
PID 1940 wrote to memory of 3544	1940	RdrCEF.exe	97
PID 1940 wrote to memory of 3544	1940	RdrCEF.exe	97

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\78fe1aa2dc1a9d82e3bf8ce3b78cdd77_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C9F6822CA51672D2DA0FC2A7F98097F4 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3552
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0F99B24A07DE80DC6224342C2C2B45E3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0F99B24A07DE80DC6224342C2C2B45E3 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3544
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A95911D6C0367B52C86A31A090CD78E7 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4588
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BE9BC1334B3C7F8490BC4BFABC87EB2C --mojo-platform-channel-handle=1888 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3772
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=197B33D98DBB25105A45D75E0ED244F2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=197B33D98DBB25105A45D75E0ED244F2 --renderer-client-id=6 --mojo-platform-channel-handle=1908 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:932
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5497769021489C42A959AB7B360BA647 --mojo-platform-channel-handle=2804 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
197363ea2649ad8ce731f24d1ba9738a

SHA1
ff080b1859626eedcd1d14ab07b82b71baa74ca1

SHA256
4395112fdabbcac96420753139850c51556bf4ae6e4770701c794b56ff4eba11

SHA512
c8f7f664e2a31d439678791cb5983ddb9e4b194bba310798493fad0525bf22b7bc220ca07c99d2e670a8633d66e6f8ba982f6eb46c1b3d23ad1fe57bb4e53a97

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
94ee7ead393cce467477dc8f44041f37

SHA1
df327c06c41c52d81730c67c8de8036068f87842

SHA256
5ca194c696a2390320af404754a7ab927a5300b3dbee1de391d59db00a314270

SHA512
bd4e2b969f161b088a08bb74349edf95ee6eddac452b199892064030c3cedbf441371af81210cfd74c213817c223012ee9321c3ebc4957c9a9f9bdccd8451314

Download Submit