30193e23501a2b6251b0287a59f06982238b8558988ff898399cb1061fd36cbf

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93ac8c1990f91e72b8d64ccac8402c54_JaffaCakes118.pdf
Size

59KB
MD5

93ac8c1990f91e72b8d64ccac8402c54
SHA1

1e65c8ed898bfb3dd3c111ab817ae4d63d552615
SHA256

30193e23501a2b6251b0287a59f06982238b8558988ff898399cb1061fd36cbf
SHA512

b235c463b162f3b81e67c2e4e94f8c208dbddef473aa68c33b4200187944bb8f091656fba142ee5d747a92a7af93bafeb0514dd003d51ee47bdf5711fc89d7d2
SSDEEP

1536:LGFy6/IpkyXkXwI5ovca6IswRATl0C7L7A:qFyiImn/ut6Ka37w

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4788	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4788	AcroRd32.exe
4788	AcroRd32.exe
4788	AcroRd32.exe
4788	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 3684	4788	AcroRd32.exe	91
PID 4788 wrote to memory of 3684	4788	AcroRd32.exe	91
PID 4788 wrote to memory of 3684	4788	AcroRd32.exe	91
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 736	3684	RdrCEF.exe	94
PID 3684 wrote to memory of 3376	3684	RdrCEF.exe	95
PID 3684 wrote to memory of 3376	3684	RdrCEF.exe	95
PID 3684 wrote to memory of 3376	3684	RdrCEF.exe	95
PID 3684 wrote to memory of 3376	3684	RdrCEF.exe	95
PID 3684 wrote to memory of 3376	3684	RdrCEF.exe	95
PID 3684 wrote to memory of 3376	3684	RdrCEF.exe	95
PID 3684 wrote to memory of 3376	3684	RdrCEF.exe	95
PID 3684 wrote to memory of 3376	3684	RdrCEF.exe	95
PID 3684 wrote to memory of 3376	3684	RdrCEF.exe	95
PID 3684 wrote to memory of 3376	3684	RdrCEF.exe	95
PID 3684 wrote to memory of 3376	3684	RdrCEF.exe	95
PID 3684 wrote to memory of 3376	3684	RdrCEF.exe	95
PID 3684 wrote to memory of 3376	3684	RdrCEF.exe	95
PID 3684 wrote to memory of 3376	3684	RdrCEF.exe	95
PID 3684 wrote to memory of 3376	3684	RdrCEF.exe	95
PID 3684 wrote to memory of 3376	3684	RdrCEF.exe	95
PID 3684 wrote to memory of 3376	3684	RdrCEF.exe	95
PID 3684 wrote to memory of 3376	3684	RdrCEF.exe	95
PID 3684 wrote to memory of 3376	3684	RdrCEF.exe	95
PID 3684 wrote to memory of 3376	3684	RdrCEF.exe	95

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\93ac8c1990f91e72b8d64ccac8402c54_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F5A5385198C8C59C0DBEF1FC0A56B868 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:736
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=41401AC7810EDDC73900A474F0076370 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=41401AC7810EDDC73900A474F0076370 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3376
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=328A57C4D858E138EA9BF74FE3FDAD6C --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2212
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=655E1DB99D499D74FA2263D44406FA64 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=655E1DB99D499D74FA2263D44406FA64 --renderer-client-id=5 --mojo-platform-channel-handle=1944 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3080
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2FFD314444A4ABA983225ECA827580A6 --mojo-platform-channel-handle=2676 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4816
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=125A8AB9972CB9B839A54A4A1D187E39 --mojo-platform-channel-handle=2844 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
95c8464baf91faeb1e5186230ee5f5e3

SHA1
86f63d399932ca1d69841487b69c031731250489

SHA256
a9da63262703dbb7cc5df40923e28c1c8b2233e3609e9e2e8c0ad55ba20b5aac

SHA512
08be6b7257b53ccc68cb10f4e272366b6c800067e5bd789629504eb98e67c43fc647d4b76afb9bc4dda1e61de8df35f49e09aa51c26e010a5072d68a395f0b77

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
1030d3231cd28c649b9ed4b7fe33df5f

SHA1
7bbedccbc48f60741feadca58093b41a2ada6e21

SHA256
2c053baa6ac0e56de3d8c75a2917bfc5e7d46163e80a92973ca5a4bdd67b53b4

SHA512
451acfc1035f428df4e3c5eb35962669131af9e473c49ad55d8ef96bf088c043deaf932f0c6a45a2f310f713b1a21791fec93a8a8bbb5a5591af61ec9f375d52

Download Submit