Analysis
-
max time kernel
52s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 19:13
Behavioral task
behavioral1
Sample
9f429938fcf6549d1683b868d34f60f1_JaffaCakes118.pdf
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9f429938fcf6549d1683b868d34f60f1_JaffaCakes118.pdf
Resource
win10v2004-20240508-en
General
-
Target
9f429938fcf6549d1683b868d34f60f1_JaffaCakes118.pdf
-
Size
40KB
-
MD5
9f429938fcf6549d1683b868d34f60f1
-
SHA1
6343206e225d2ec08104e5b70418aec93c794657
-
SHA256
7f494bcf73f9994ca4d42178eb22b0d24693ffb3c7a0d12b670aa52e1cc8b797
-
SHA512
330781ebaaa0e0baeb15821526fc8c9b635c890507f1d1cf158deaf29190de172ecb94bfa2c2843cdcdfa0260f20d916c9c03d6c0084a1c0fd2bd23b6a911bb5
-
SSDEEP
768:dOgGzpDTpiMLMtFwZS8xdQi5jIzwIIGygQLiK1J6xykTZIUBICCZQglA5QlZ:dGFvpiXHuiyJ68XPChglA5QlZ
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 432 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 432 AcroRd32.exe 432 AcroRd32.exe 432 AcroRd32.exe 432 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 432 wrote to memory of 4632 432 AcroRd32.exe 81 PID 432 wrote to memory of 4632 432 AcroRd32.exe 81 PID 432 wrote to memory of 4632 432 AcroRd32.exe 81 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1948 4632 RdrCEF.exe 82 PID 4632 wrote to memory of 1860 4632 RdrCEF.exe 83 PID 4632 wrote to memory of 1860 4632 RdrCEF.exe 83 PID 4632 wrote to memory of 1860 4632 RdrCEF.exe 83 PID 4632 wrote to memory of 1860 4632 RdrCEF.exe 83 PID 4632 wrote to memory of 1860 4632 RdrCEF.exe 83 PID 4632 wrote to memory of 1860 4632 RdrCEF.exe 83 PID 4632 wrote to memory of 1860 4632 RdrCEF.exe 83 PID 4632 wrote to memory of 1860 4632 RdrCEF.exe 83 PID 4632 wrote to memory of 1860 4632 RdrCEF.exe 83 PID 4632 wrote to memory of 1860 4632 RdrCEF.exe 83 PID 4632 wrote to memory of 1860 4632 RdrCEF.exe 83 PID 4632 wrote to memory of 1860 4632 RdrCEF.exe 83 PID 4632 wrote to memory of 1860 4632 RdrCEF.exe 83 PID 4632 wrote to memory of 1860 4632 RdrCEF.exe 83 PID 4632 wrote to memory of 1860 4632 RdrCEF.exe 83 PID 4632 wrote to memory of 1860 4632 RdrCEF.exe 83 PID 4632 wrote to memory of 1860 4632 RdrCEF.exe 83 PID 4632 wrote to memory of 1860 4632 RdrCEF.exe 83 PID 4632 wrote to memory of 1860 4632 RdrCEF.exe 83 PID 4632 wrote to memory of 1860 4632 RdrCEF.exe 83
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\9f429938fcf6549d1683b868d34f60f1_JaffaCakes118.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F6D9C2AF763980BFAF25373BA6224BFC --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:1948
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=60F64DD00E6EF689DCBAB7F38D010BAD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=60F64DD00E6EF689DCBAB7F38D010BAD --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:13⤵PID:1860
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=28B294F6A64F590A947D8BEA3ACEB152 --mojo-platform-channel-handle=1804 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:2384
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C532C4AEEBC3986A57B89829AD4BBAFA --mojo-platform-channel-handle=2364 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:5432
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=68426DF9B592C90CD37451934972DE22 --mojo-platform-channel-handle=2440 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:4448
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5FB07C35A5E44D48C6AD336B5878B222 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5FB07C35A5E44D48C6AD336B5878B222 --renderer-client-id=7 --mojo-platform-channel-handle=2336 --allow-no-sandbox-job /prefetch:13⤵PID:1416
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1140
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5c5c0eca850455de016324500d1c64c0e
SHA1c3ef68bcb2be964df5f993f123ed97eff7b01dff
SHA256c323aa5bca430b4d981b8d38d5b0e390174cff6d1980c2b6c197b18c82b7f6ca
SHA5122c96a990b5da80d096bd86dfaf744cf78e434e9e0ca0d9a9bfb7dc2c6740e15a881fa97fc642e0934f78113d89b5e66165c9a332106e7aa58562166028a3511f