a52600dc4b6295dfe7dd9e8d18bb3ca4bae831e7dd17560b25e11d1035750141

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fb0d59791ed48aef2ac0e60badf2eb6_JaffaCakes118.pdf
Size

9KB
MD5

0fb0d59791ed48aef2ac0e60badf2eb6
SHA1

54cf19ae97c5b215614653c122700fe53ef5b8a2
SHA256

a52600dc4b6295dfe7dd9e8d18bb3ca4bae831e7dd17560b25e11d1035750141
SHA512

a8320b923cd2af0b0e803d7dad3b286ce046a7eb2ccae05e07344dccc316718b871b756fbdf3d5c2f7803789b23693bcf13f6405b09252944f0ef15e577fd5ee
SSDEEP

192:jPz4ULMxLIKXHszs7o/DiueXN+XytgpeG3aCiC7KMTxP32Wz3TUVxWQsmVnukCX:jPz4ULMxLIKXHsAsrib+XytMT3aCpKM1

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1296	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe
1296	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 5016	1296	AcroRd32.exe	85
PID 1296 wrote to memory of 5016	1296	AcroRd32.exe	85
PID 1296 wrote to memory of 5016	1296	AcroRd32.exe	85
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 4020	5016	RdrCEF.exe	86
PID 5016 wrote to memory of 3212	5016	RdrCEF.exe	87
PID 5016 wrote to memory of 3212	5016	RdrCEF.exe	87
PID 5016 wrote to memory of 3212	5016	RdrCEF.exe	87
PID 5016 wrote to memory of 3212	5016	RdrCEF.exe	87
PID 5016 wrote to memory of 3212	5016	RdrCEF.exe	87
PID 5016 wrote to memory of 3212	5016	RdrCEF.exe	87
PID 5016 wrote to memory of 3212	5016	RdrCEF.exe	87
PID 5016 wrote to memory of 3212	5016	RdrCEF.exe	87
PID 5016 wrote to memory of 3212	5016	RdrCEF.exe	87
PID 5016 wrote to memory of 3212	5016	RdrCEF.exe	87
PID 5016 wrote to memory of 3212	5016	RdrCEF.exe	87
PID 5016 wrote to memory of 3212	5016	RdrCEF.exe	87
PID 5016 wrote to memory of 3212	5016	RdrCEF.exe	87
PID 5016 wrote to memory of 3212	5016	RdrCEF.exe	87
PID 5016 wrote to memory of 3212	5016	RdrCEF.exe	87
PID 5016 wrote to memory of 3212	5016	RdrCEF.exe	87
PID 5016 wrote to memory of 3212	5016	RdrCEF.exe	87
PID 5016 wrote to memory of 3212	5016	RdrCEF.exe	87
PID 5016 wrote to memory of 3212	5016	RdrCEF.exe	87
PID 5016 wrote to memory of 3212	5016	RdrCEF.exe	87

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\0fb0d59791ed48aef2ac0e60badf2eb6_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5C27CF7122A3A67F893ADA946F8BD6C8 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4020
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F3351305D365483499A147671A977F94 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F3351305D365483499A147671A977F94 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3212
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E305AD26460AAC7277D6DC6D880A0626 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:8
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1C3F105852E20B0BB8FA7C46BE3EAF46 --mojo-platform-channel-handle=1952 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3184
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=707C75788444B2A3596C813855E45220 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=707C75788444B2A3596C813855E45220 --renderer-client-id=6 --mojo-platform-channel-handle=2428 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2216
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C8B28D6B089B24956883008281BD725A --mojo-platform-channel-handle=2704 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
b3c3b07a73af9c02573e321f22583c3e

SHA1
290347e787f66df6529a35e0a9eccb67f48a32c3

SHA256
4930dcca7204b6e3f795f6a640115ff33ad2b12b7798fd299d207ad3c9e6cae5

SHA512
dd9e9ca67881afbfe81d5c6eb34a8ebc30c3d392c19c9ee940de7c5fb68c0da2d0bf74c796cc36c0ed16595d203e8e5b41ed94f318d3cb545741c8e806a08d41

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
cea71dd91517994204e846ad56ffe567

SHA1
2fb7f5aeb2723527816bc7d220ff775e0ea80dba

SHA256
ee8a0f7216cb3dbb531bbd1a20f7c6bfa375e8c19ee800243fde96e808333701

SHA512
b9c4feaa356912e53e5915689995ca389c029109264f46c5b637d0e3a8bbfa932b078fc852f1c7cfec23c8365e0f33dc5a516adb7e0e6e366ea2b7df42f06af2

Download Submit