9e47df54a9c6b0fe8c9677023faa794694e81716189e2669e1e1a2c523bd90e7

Analysis

max time kernel
80s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3a2ad640f21d20328e3cc0a4951f88a_JaffaCakes118.pdf
Size

190KB
MD5

a3a2ad640f21d20328e3cc0a4951f88a
SHA1

07ea0864ee9ee3e718d7f034ba315ee65323aa6d
SHA256

9e47df54a9c6b0fe8c9677023faa794694e81716189e2669e1e1a2c523bd90e7
SHA512

bae69de17f3b45c2f3abbecfcb525a304d6eafe1a432e619ec06a8a416140e361abdfbf2179a0fa63a6ac794f3647a52517ab976ecbe17b59fc4f5fc4752a81b
SSDEEP

3072:g2irbxzGAFYDMxud7fKg3dXVmbOn5u66KjnMQSfaeBJc0W+63qhQ19cXS2:g2MKlWQ7Sg3d4bOnslHcNqmLC

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1608	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1608	AcroRd32.exe
1608	AcroRd32.exe
1608	AcroRd32.exe
1608	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 3800	1608	AcroRd32.exe	84
PID 1608 wrote to memory of 3800	1608	AcroRd32.exe	84
PID 1608 wrote to memory of 3800	1608	AcroRd32.exe	84
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4780	3800	RdrCEF.exe	85
PID 3800 wrote to memory of 4828	3800	RdrCEF.exe	86
PID 3800 wrote to memory of 4828	3800	RdrCEF.exe	86
PID 3800 wrote to memory of 4828	3800	RdrCEF.exe	86
PID 3800 wrote to memory of 4828	3800	RdrCEF.exe	86
PID 3800 wrote to memory of 4828	3800	RdrCEF.exe	86
PID 3800 wrote to memory of 4828	3800	RdrCEF.exe	86
PID 3800 wrote to memory of 4828	3800	RdrCEF.exe	86
PID 3800 wrote to memory of 4828	3800	RdrCEF.exe	86
PID 3800 wrote to memory of 4828	3800	RdrCEF.exe	86
PID 3800 wrote to memory of 4828	3800	RdrCEF.exe	86
PID 3800 wrote to memory of 4828	3800	RdrCEF.exe	86
PID 3800 wrote to memory of 4828	3800	RdrCEF.exe	86
PID 3800 wrote to memory of 4828	3800	RdrCEF.exe	86
PID 3800 wrote to memory of 4828	3800	RdrCEF.exe	86
PID 3800 wrote to memory of 4828	3800	RdrCEF.exe	86
PID 3800 wrote to memory of 4828	3800	RdrCEF.exe	86
PID 3800 wrote to memory of 4828	3800	RdrCEF.exe	86
PID 3800 wrote to memory of 4828	3800	RdrCEF.exe	86
PID 3800 wrote to memory of 4828	3800	RdrCEF.exe	86
PID 3800 wrote to memory of 4828	3800	RdrCEF.exe	86

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\a3a2ad640f21d20328e3cc0a4951f88a_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8462590278C28AAF626C9F87F70C6464 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4780
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F18F6E27FD7F2CEF142F8381F6B0CC28 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F18F6E27FD7F2CEF142F8381F6B0CC28 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4828
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=91C7C65B54A654D097EC6C55867BD055 --mojo-platform-channel-handle=2288 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1164
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=80BC041EEEEFFABFA5E3302C4E8E3ADE --mojo-platform-channel-handle=1916 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4916
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C023895F7EB59AE34F9AF3E466907A5F --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1176
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C053C6593DBD5C08B3BC1091C9761DFD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C053C6593DBD5C08B3BC1091C9761DFD --renderer-client-id=7 --mojo-platform-channel-handle=2520 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
f2b1c0d1267ceae85620eb5b42b78284

SHA1
208d66c3c0a144165e12c7a9044bffa5258a6249

SHA256
ea5e23269dc6bf4d2fafe2d79c551e01a3b38480e9fac6432db573d0242eef60

SHA512
e51d22282814a8df6300e8d75af272f642b0c5b8f1c6032e397ba8a94decc700c77b22b2e9629eb17b3b69dab42cb45047c83d3dea6f1bf48bdec450e65962ad

Download Submit