bc9e264615f5899c56874a9601e296cf7986043621c1a15e6b3e8f773d55fa25

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8092e3737ab11d3297f9d7f7bca3d0ae_JaffaCakes118.pdf
Size

53KB
MD5

8092e3737ab11d3297f9d7f7bca3d0ae
SHA1

c3671e80438ebc9ce51fd32a15f485e4e93e12db
SHA256

bc9e264615f5899c56874a9601e296cf7986043621c1a15e6b3e8f773d55fa25
SHA512

511f1c0d22dc75bbc05f357bdf4cc3139c18b4a5ea3f18894bfc0fb53d7b30789bb4f5deca14685d29cc7d7ea19e546b0be03fb333e682af23490076f4b72878
SSDEEP

1536:5UGFIAx471FU4HZpDEotQkuzK9EOfDcbh:5hFIAuU4HZGoKRK9EO7cV

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3720	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe
3720	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 1948	3720	AcroRd32.exe	91
PID 3720 wrote to memory of 1948	3720	AcroRd32.exe	91
PID 3720 wrote to memory of 1948	3720	AcroRd32.exe	91
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 3292	1948	RdrCEF.exe	94
PID 1948 wrote to memory of 1548	1948	RdrCEF.exe	95
PID 1948 wrote to memory of 1548	1948	RdrCEF.exe	95
PID 1948 wrote to memory of 1548	1948	RdrCEF.exe	95
PID 1948 wrote to memory of 1548	1948	RdrCEF.exe	95
PID 1948 wrote to memory of 1548	1948	RdrCEF.exe	95
PID 1948 wrote to memory of 1548	1948	RdrCEF.exe	95
PID 1948 wrote to memory of 1548	1948	RdrCEF.exe	95
PID 1948 wrote to memory of 1548	1948	RdrCEF.exe	95
PID 1948 wrote to memory of 1548	1948	RdrCEF.exe	95
PID 1948 wrote to memory of 1548	1948	RdrCEF.exe	95
PID 1948 wrote to memory of 1548	1948	RdrCEF.exe	95
PID 1948 wrote to memory of 1548	1948	RdrCEF.exe	95
PID 1948 wrote to memory of 1548	1948	RdrCEF.exe	95
PID 1948 wrote to memory of 1548	1948	RdrCEF.exe	95
PID 1948 wrote to memory of 1548	1948	RdrCEF.exe	95
PID 1948 wrote to memory of 1548	1948	RdrCEF.exe	95
PID 1948 wrote to memory of 1548	1948	RdrCEF.exe	95
PID 1948 wrote to memory of 1548	1948	RdrCEF.exe	95
PID 1948 wrote to memory of 1548	1948	RdrCEF.exe	95
PID 1948 wrote to memory of 1548	1948	RdrCEF.exe	95

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\8092e3737ab11d3297f9d7f7bca3d0ae_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C1A439EB1A9C3E837147382C98143656 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3292
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=95CAB053DE5E6BD175335EF9CC4A4C58 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=95CAB053DE5E6BD175335EF9CC4A4C58 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1548
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=70F1AD92FEF61004B1E63B0C02153A64 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3800
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2F67ACBF16C01F9BCD862208C9FEF12E --mojo-platform-channel-handle=1940 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1324
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=70DF1D08555AA272F331A5972ACE0706 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=70DF1D08555AA272F331A5972ACE0706 --renderer-client-id=6 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3132
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5C4E5A0411B345487AE4F3416D5C705F --mojo-platform-channel-handle=2676 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
f715d29fc9ef5ba2dbd43c7c44428e68

SHA1
1c0e21711f3d62821ea60a4e4716c5b198921a73

SHA256
6be1aa9bd7db758fe40ff32020aa14d531b6020d3afa4bd65faae2d6d467b2ca

SHA512
88accb42755ac2935b85a35c66fbaae7923fb90c1177945016daadb9ae49c125f1b84cef9d79b579c8bd0574758302b0304df1f77e270c6a19f509d93fd1e78a

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
19d58c175eafbbae6399bb3b5934df06

SHA1
146b9a764aaa90ff120bbd7d80a78958414f2f8f

SHA256
99419f837b8c70e3f08ff9d83ecbe918b5b3c3bdd1bc777307246ff05734bc0d

SHA512
58dce4b884d0e8f42742467e77abf1f57133d5290525c146a2fd9e3a810b350a58708976c97cbc682915337cbd768909708a5ebe3a6a66280b79300c55264697

Download Submit