a6e177084df07bf63d4984cc3b67e42ee864b9490c060bfdfe933b7ff0811ae5

Analysis

max time kernel
94s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/06/2024, 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

102b6868b5d11b02ae356e54b1630f29_JaffaCakes118.pdf
Size

85KB
MD5

102b6868b5d11b02ae356e54b1630f29
SHA1

3b4dc31ad85c7e7239a8d883721e14155fe22ad1
SHA256

a6e177084df07bf63d4984cc3b67e42ee864b9490c060bfdfe933b7ff0811ae5
SHA512

75e06ac3b09e9afabab161eb9f7e45e2c41b797662f671400c64fd18eb29ac8820b6e0c5693c4f15b924c5d59e1fe6184e9e67b969ea2cabeb44901b31ddcdf4
SSDEEP

1536:ovtxOdiOMbI6+L0mvo2ZWgR8ELEYgddJ8uzbb4lLbqaAEzcWtstXp2W2pX:OtNGPL0mvBZlu8s4IhEzxslpO

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 4064	3036	AcroRd32.exe	83
PID 3036 wrote to memory of 4064	3036	AcroRd32.exe	83
PID 3036 wrote to memory of 4064	3036	AcroRd32.exe	83
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 3212	4064	RdrCEF.exe	84
PID 4064 wrote to memory of 376	4064	RdrCEF.exe	85
PID 4064 wrote to memory of 376	4064	RdrCEF.exe	85
PID 4064 wrote to memory of 376	4064	RdrCEF.exe	85
PID 4064 wrote to memory of 376	4064	RdrCEF.exe	85
PID 4064 wrote to memory of 376	4064	RdrCEF.exe	85
PID 4064 wrote to memory of 376	4064	RdrCEF.exe	85
PID 4064 wrote to memory of 376	4064	RdrCEF.exe	85
PID 4064 wrote to memory of 376	4064	RdrCEF.exe	85
PID 4064 wrote to memory of 376	4064	RdrCEF.exe	85
PID 4064 wrote to memory of 376	4064	RdrCEF.exe	85
PID 4064 wrote to memory of 376	4064	RdrCEF.exe	85
PID 4064 wrote to memory of 376	4064	RdrCEF.exe	85
PID 4064 wrote to memory of 376	4064	RdrCEF.exe	85
PID 4064 wrote to memory of 376	4064	RdrCEF.exe	85
PID 4064 wrote to memory of 376	4064	RdrCEF.exe	85
PID 4064 wrote to memory of 376	4064	RdrCEF.exe	85
PID 4064 wrote to memory of 376	4064	RdrCEF.exe	85
PID 4064 wrote to memory of 376	4064	RdrCEF.exe	85
PID 4064 wrote to memory of 376	4064	RdrCEF.exe	85
PID 4064 wrote to memory of 376	4064	RdrCEF.exe	85

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\102b6868b5d11b02ae356e54b1630f29_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FF570F85F0D50D838AC830C2BF1A7E18 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3212
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6850226E6D4F848394BF52A6C2AD7BC6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6850226E6D4F848394BF52A6C2AD7BC6 --renderer-client-id=2 --mojo-platform-channel-handle=1716 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:376
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=29B6E62F219B1751CF18C2928946FD33 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2352
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1B0A146B6FCF76D31756DA5F103B4A40 --mojo-platform-channel-handle=1908 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2668
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=47A9AF9B36CD1B33C6F871DABE5D9AE6 --mojo-platform-channel-handle=2360 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
9adf68d382cf079b8be4b4aa69453ced

SHA1
8866f9308c3ec5496d781001794d08674985302a

SHA256
ac936b095ad06060cf3ab108fdb18f87ba4f78a581d5343ac0f0184fc12ad4a6

SHA512
c7b3605f645a3d317a122f37ba17d26dfbcfe379ade9288cf8a9def6b3c933fe1b1e845852448a66530101d0e3bbc8d77957c094b177f97bc1d01fe48ef563f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
f77c0f6d3e83a20855b6b0ecc14afb18

SHA1
5024083a97ea1bb2e7cae389bcd664d532766ef4

SHA256
bf2827a8e9b82b8e903c676863913d26da0d71bac63e3116bfb27f1703d486e2

SHA512
40b9a22d4e92dca091fb219800edd0e8e68389c8f1e848fa38ee51d3c63ad271d4ea1a8f22043cc32ba80556dfda638547abac9f2f9b331463afe8e91e80cab7

Download Submit