76e5fb25bcad53296c63c40246b26adc500ef40583ef6d04c686027a17e982b7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 22:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0ae8195d3a839b7c7f20fa90474af4fe_JaffaCakes118.pdf
Size

88KB
MD5

0ae8195d3a839b7c7f20fa90474af4fe
SHA1

d81e86a531223c5bee1b706e84b2316753f1a761
SHA256

76e5fb25bcad53296c63c40246b26adc500ef40583ef6d04c686027a17e982b7
SHA512

f8dc0bbe12f55a5b53cef586d1eab199d9624d541e46619185cbeb207b8d387d248a12da1c2b31619e83c1e6975c0ddc2adc1a81938e958cd66af87bcf1b0b4a
SSDEEP

1536:wiF6mfB7EANAY5VNs3A6iIDjfnaJG2p3FXMGm10Fn6rtO49Fd6Sb/4wf6WyCTsDi:dFnly6fs3A6iIHnaJGy3FXMGmbrtO8Ff

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3580	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 3448	3580	AcroRd32.exe	82
PID 3580 wrote to memory of 3448	3580	AcroRd32.exe	82
PID 3580 wrote to memory of 3448	3580	AcroRd32.exe	82
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 5044	3448	RdrCEF.exe	85
PID 3448 wrote to memory of 2788	3448	RdrCEF.exe	86
PID 3448 wrote to memory of 2788	3448	RdrCEF.exe	86
PID 3448 wrote to memory of 2788	3448	RdrCEF.exe	86
PID 3448 wrote to memory of 2788	3448	RdrCEF.exe	86
PID 3448 wrote to memory of 2788	3448	RdrCEF.exe	86
PID 3448 wrote to memory of 2788	3448	RdrCEF.exe	86
PID 3448 wrote to memory of 2788	3448	RdrCEF.exe	86
PID 3448 wrote to memory of 2788	3448	RdrCEF.exe	86
PID 3448 wrote to memory of 2788	3448	RdrCEF.exe	86
PID 3448 wrote to memory of 2788	3448	RdrCEF.exe	86
PID 3448 wrote to memory of 2788	3448	RdrCEF.exe	86
PID 3448 wrote to memory of 2788	3448	RdrCEF.exe	86
PID 3448 wrote to memory of 2788	3448	RdrCEF.exe	86
PID 3448 wrote to memory of 2788	3448	RdrCEF.exe	86
PID 3448 wrote to memory of 2788	3448	RdrCEF.exe	86
PID 3448 wrote to memory of 2788	3448	RdrCEF.exe	86
PID 3448 wrote to memory of 2788	3448	RdrCEF.exe	86
PID 3448 wrote to memory of 2788	3448	RdrCEF.exe	86
PID 3448 wrote to memory of 2788	3448	RdrCEF.exe	86
PID 3448 wrote to memory of 2788	3448	RdrCEF.exe	86

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\0ae8195d3a839b7c7f20fa90474af4fe_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9098D9FD484E8A877E35F84C995DB077 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5044
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8DA00B87B873AA38E333E3F8E75BF573 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8DA00B87B873AA38E333E3F8E75BF573 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2788
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9D106D333B278320A0C7A8723E7DAF31 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1580
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=01BF7D36C1C2B07A217B29774522C6B6 --mojo-platform-channel-handle=1904 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4212
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=ECAF26FCBB65519CE41F013A2D8794E6 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1360
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1F9C9257E1B8AC63ED25AB2B84DDD660 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1F9C9257E1B8AC63ED25AB2B84DDD660 --renderer-client-id=7 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
1957752b8281e70739f6b92da37cfd02

SHA1
f6e2a1db1d0eb55dd67a8994e6005a36e518be49

SHA256
08964a1b8f0021b39a24b7db81930a8609e1d10fe96b15240d99c60e20732b75

SHA512
bca2b3163a1d118d926b127f1f53e89b1f57cd26bde807f59e395e3c85411dad7b24d27e7d89f02a9f2f2c2411154fe97ccf595a56d81bfd41dfc884c413072d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
982651e6b60df7b97a65023a88623bb9

SHA1
8989b355ed95d554b65d788fa6158cd2a3f92826

SHA256
659976b6e225e9d12d7e21142d64f45f5c1a437d5b5206a37b99a4397d0d62ed

SHA512
5bd69fea122004024ab0d50f5acc970253942cb28ab726cf3b266158f6fa5618468dd8162e4a52489ce7ba43b6025adf2745c172864afb1117f32b7c99938ba9

Download Submit