b8c20d60c7995c8f40c005939227beaf185becbddc4e10905a66525cf28b3d55

General

Target

a70c730ecf963e99cf1ae20f4f2ae843_JaffaCakes118.pdf
Size

38KB
MD5

a70c730ecf963e99cf1ae20f4f2ae843
SHA1

16c73d33349069857e0f9d47f5df0bf3024394d3
SHA256

b8c20d60c7995c8f40c005939227beaf185becbddc4e10905a66525cf28b3d55
SHA512

6565ba06d83b2138df76301e3f6dde7286397d5a6b71d551d67e8b64547aeea6de0eb45d19edf0f32a26d4e39638aab6a7421921b0678a2f334efd557790113b
SSDEEP

768:0XuMZmwgCLWari67OEX9bY5hQftLagAtGnMKmIT0GDF9XIt7lXFHV+nj8:0XFZmGWStE5hctLagAtGMKv0cy71F1+Q

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4832 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

4832 AcroRd32.exe
4832 AcroRd32.exe
4832 AcroRd32.exe
4832 AcroRd32.exe

pid	process
4832	AcroRd32.exe

pid	process
4832	AcroRd32.exe
4832	AcroRd32.exe
4832	AcroRd32.exe
4832	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4832 wrote to memory of 4524	4832	AcroRd32.exe	RdrCEF.exe
PID 4832 wrote to memory of 4524	4832	AcroRd32.exe	RdrCEF.exe
PID 4832 wrote to memory of 4524	4832	AcroRd32.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 5064	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 2236	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 2236	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 2236	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 2236	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 2236	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 2236	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 2236	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 2236	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 2236	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 2236	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 2236	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 2236	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 2236	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 2236	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 2236	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 2236	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 2236	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 2236	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 2236	4524	RdrCEF.exe	RdrCEF.exe
PID 4524 wrote to memory of 2236	4524	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\a70c730ecf963e99cf1ae20f4f2ae843_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4832

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:4524

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FDEB3E10BC71987EFDD6DB6D3A7A41C3 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:5064

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=865C8327D80CB41ED004FD6D8B0A15E6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=865C8327D80CB41ED004FD6D8B0A15E6 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2236

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F23D62C5A8B951BDF35E40EA9A6031DA --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2608

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9CDC1FCFF1EBC891E4237442E69ECA85 --mojo-platform-channel-handle=1824 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2740

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3580898D2D3702F194C736AB6D5827EF --mojo-platform-channel-handle=1892 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:556

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=274DFE03C67DB40DC9DB9F0710DD49E5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=274DFE03C67DB40DC9DB9F0710DD49E5 --renderer-client-id=8 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1584

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
84de3d471737f3653f94f304e5cf71da

SHA1
b889ee4ac57b966f8d59237458c24ac67e4f7ad4

SHA256
b2eb4209008eb2c6c3d72766a131fadb1910739f9af360040147fe14bf5f1a14

SHA512
598ce5d749a1c98da5ec8931e7b3ddaf3021b62025c30219692ac63a365ce0dd6e317c96c3ff47161d6ff36a721d827d4296f468eca1e95f2df0508b50207607

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads