fed04db831db307383519ada0bf1a3737eb84c8b75f152af86cd8983a5fc10c8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

191064cd195900428882556b73a4ae6c_JaffaCakes118.pdf
Size

2KB
MD5

191064cd195900428882556b73a4ae6c
SHA1

b74852f6c236277e72c3b4cd51ea3fb6a28f2670
SHA256

fed04db831db307383519ada0bf1a3737eb84c8b75f152af86cd8983a5fc10c8
SHA512

67bed0332051d4dd1c16767efdf02313e08e2b70939e555c7ff35dc7757a9b1284d66382ce8c0cead99b1d1920567d0cb623cf855ea2193d924f2725cc04af3d

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3876	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe
3876	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 1484	3876	AcroRd32.exe	82
PID 3876 wrote to memory of 1484	3876	AcroRd32.exe	82
PID 3876 wrote to memory of 1484	3876	AcroRd32.exe	82
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 2512	1484	RdrCEF.exe	83
PID 1484 wrote to memory of 3112	1484	RdrCEF.exe	84
PID 1484 wrote to memory of 3112	1484	RdrCEF.exe	84
PID 1484 wrote to memory of 3112	1484	RdrCEF.exe	84
PID 1484 wrote to memory of 3112	1484	RdrCEF.exe	84
PID 1484 wrote to memory of 3112	1484	RdrCEF.exe	84
PID 1484 wrote to memory of 3112	1484	RdrCEF.exe	84
PID 1484 wrote to memory of 3112	1484	RdrCEF.exe	84
PID 1484 wrote to memory of 3112	1484	RdrCEF.exe	84
PID 1484 wrote to memory of 3112	1484	RdrCEF.exe	84
PID 1484 wrote to memory of 3112	1484	RdrCEF.exe	84
PID 1484 wrote to memory of 3112	1484	RdrCEF.exe	84
PID 1484 wrote to memory of 3112	1484	RdrCEF.exe	84
PID 1484 wrote to memory of 3112	1484	RdrCEF.exe	84
PID 1484 wrote to memory of 3112	1484	RdrCEF.exe	84
PID 1484 wrote to memory of 3112	1484	RdrCEF.exe	84
PID 1484 wrote to memory of 3112	1484	RdrCEF.exe	84
PID 1484 wrote to memory of 3112	1484	RdrCEF.exe	84
PID 1484 wrote to memory of 3112	1484	RdrCEF.exe	84
PID 1484 wrote to memory of 3112	1484	RdrCEF.exe	84
PID 1484 wrote to memory of 3112	1484	RdrCEF.exe	84

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\191064cd195900428882556b73a4ae6c_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=22207D467EB18F8D8E3E288302C021A0 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2512
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6A4DC42EC308BA1A75FB19868478F7E7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6A4DC42EC308BA1A75FB19868478F7E7 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3112
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=83981DBAD28D3A831E7E9E1FB128C135 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4228
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9D7717AB062140A27923E97C8E81A069 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9D7717AB062140A27923E97C8E81A069 --renderer-client-id=5 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2736
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=565031726FCC5CE119F1F08E295833B7 --mojo-platform-channel-handle=2752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2764
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=38D172CBE53912CE3FD3D40F2F67893D --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
bf99c71ade18663f8f8f0effe2569415

SHA1
c4c95c079fae42a7e69fcef0afff857163de5055

SHA256
1bcdb75bff5995128a0bf25e491f43688ffc127a7f7927fd43f6d2247dda0995

SHA512
b0f3ab0a8ad1f95188e765760bf3ce71e065a4f416c10d9f641b46aa43cb49b0d3c34a33c243cd0521a73bc973e124d697d3772d2839455cff41cc94cb15fa55

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
f2c947ccaa0de4b0c3971916b2d599fc

SHA1
951de7bcb077ceee1c1a44e21fe4e67206c9b445

SHA256
8b6124c2cc1915f77710db2a88d9f408d52547d7d89b79a8ad917ca75e0a1042

SHA512
e60236568d1287f45f42213d18e5606e8f7b387174881f69fcc8d4ad29801805666bcd566848472c908e9d8990281fd52c397f825c14b155987a765b9a0124dc

Download Submit