bf91343e4a1fd897e6fac34fcdf5112c0cf580c74246d47a86af6be4f0a14e47

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d3c4236e5dddfec445e960e42c42beb_JaffaCakes118.pdf
Size

50KB
MD5

8d3c4236e5dddfec445e960e42c42beb
SHA1

1ba4a341b4c7a24e5494f3ec690565acc6b665f3
SHA256

bf91343e4a1fd897e6fac34fcdf5112c0cf580c74246d47a86af6be4f0a14e47
SHA512

ccbdb36e71ff09a933e187df36f73b834aa45de208979835feb90dc5f7d6a985db5fb888d2af2a5823310bef86cd8c30dafaf4aef42e7c510dcf5e837775510d
SSDEEP

768:hgGzpDz1oHFWXphyKJ54gRJG6n7wvFJVqQCtPPiLiikdSY7adjCUwKZCl/eSMw4D:SGFP3LofuPamiHY2EUwgSl445+

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1892	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1892	AcroRd32.exe
1892	AcroRd32.exe
1892	AcroRd32.exe
1892	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 1040	1892	AcroRd32.exe	90
PID 1892 wrote to memory of 1040	1892	AcroRd32.exe	90
PID 1892 wrote to memory of 1040	1892	AcroRd32.exe	90
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1204	1040	RdrCEF.exe	92
PID 1040 wrote to memory of 1688	1040	RdrCEF.exe	93
PID 1040 wrote to memory of 1688	1040	RdrCEF.exe	93
PID 1040 wrote to memory of 1688	1040	RdrCEF.exe	93
PID 1040 wrote to memory of 1688	1040	RdrCEF.exe	93
PID 1040 wrote to memory of 1688	1040	RdrCEF.exe	93
PID 1040 wrote to memory of 1688	1040	RdrCEF.exe	93
PID 1040 wrote to memory of 1688	1040	RdrCEF.exe	93
PID 1040 wrote to memory of 1688	1040	RdrCEF.exe	93
PID 1040 wrote to memory of 1688	1040	RdrCEF.exe	93
PID 1040 wrote to memory of 1688	1040	RdrCEF.exe	93
PID 1040 wrote to memory of 1688	1040	RdrCEF.exe	93
PID 1040 wrote to memory of 1688	1040	RdrCEF.exe	93
PID 1040 wrote to memory of 1688	1040	RdrCEF.exe	93
PID 1040 wrote to memory of 1688	1040	RdrCEF.exe	93
PID 1040 wrote to memory of 1688	1040	RdrCEF.exe	93
PID 1040 wrote to memory of 1688	1040	RdrCEF.exe	93
PID 1040 wrote to memory of 1688	1040	RdrCEF.exe	93
PID 1040 wrote to memory of 1688	1040	RdrCEF.exe	93
PID 1040 wrote to memory of 1688	1040	RdrCEF.exe	93
PID 1040 wrote to memory of 1688	1040	RdrCEF.exe	93

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\8d3c4236e5dddfec445e960e42c42beb_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=252EFC38733B5FFFE91F5AEBE6654876 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1204
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E527EDDAC0C31B3113B88D2E2A87A1E2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E527EDDAC0C31B3113B88D2E2A87A1E2 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1688
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=518D58A4A6E48EF88FA48DA58107B6BA --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2360
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EDD28132D67F4E6F9C00707542B90571 --mojo-platform-channel-handle=1920 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1460
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DCFD43D2AF3DD5EA3E53E2D02D2EC41E --mojo-platform-channel-handle=2412 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2624
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2E40B73FC3280A66D584FE05EAC5980C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2E40B73FC3280A66D584FE05EAC5980C --renderer-client-id=7 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
d1bf254380fde4d5475efab1c19eb5d0

SHA1
6d69235dc0f21f6fc35e42bb08effb4fd01d5975

SHA256
104e4c2dd2254f80800bf44fa449a794f8ae60e81ce09000f195b4a160643d69

SHA512
18d91c6b39b50eec1f7d0cdca9bcf4e1fe3b4e6a21b6effc4e469b81bb538e4e144b11ac9c7c7c0d98da702f1632858dd3e799f6f361522ed7829a121c243539

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
9a49855ae7a81a7d8af46ddcc31da64e

SHA1
c4f939f2ae9643774152f48b34077de59263c5ec

SHA256
1709f37ddac3badc5691ddad15cfbb9830e87cf4edcab024a23b83cf05a4072d

SHA512
d9552e20cd54f8f1bede9e705d749ad3a367182785a567f57ebcb55e9c1959de368dd7e4b408c9b5facc8b69cbbf0e2c7ec1f2ba593a60a4fee9372c4e724910

Download Submit