be7c510fdb9e944713f5597a22df4c6fa2055f4d9508219e497299f364c34911

Analysis

max time kernel
141s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b67125f73769d4b909fc2253ddf9de1_JaffaCakes118.pdf
Size

112KB
MD5

1b67125f73769d4b909fc2253ddf9de1
SHA1

214ae068a0a7be6307d462d5202debb51229b46d
SHA256

be7c510fdb9e944713f5597a22df4c6fa2055f4d9508219e497299f364c34911
SHA512

1bedc9ed63e91a3bf0593e14b50cac10feab877213399dd453a513f819d2d8ffb05d995ba397725e3d17a8cd2370627bbc0acb0f0e9fb4dbcafb1103792c2a8d
SSDEEP

768:ZO9WZSVsV1YPveYmYGbLB/vbQNK775BoQ4mijVJipEhiD6T+bIxp0sO9PGVigGZw:C

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2664	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe
2664	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 1668	2664	AcroRd32.exe	81
PID 2664 wrote to memory of 1668	2664	AcroRd32.exe	81
PID 2664 wrote to memory of 1668	2664	AcroRd32.exe	81
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 836	1668	RdrCEF.exe	82
PID 1668 wrote to memory of 4844	1668	RdrCEF.exe	83
PID 1668 wrote to memory of 4844	1668	RdrCEF.exe	83
PID 1668 wrote to memory of 4844	1668	RdrCEF.exe	83
PID 1668 wrote to memory of 4844	1668	RdrCEF.exe	83
PID 1668 wrote to memory of 4844	1668	RdrCEF.exe	83
PID 1668 wrote to memory of 4844	1668	RdrCEF.exe	83
PID 1668 wrote to memory of 4844	1668	RdrCEF.exe	83
PID 1668 wrote to memory of 4844	1668	RdrCEF.exe	83
PID 1668 wrote to memory of 4844	1668	RdrCEF.exe	83
PID 1668 wrote to memory of 4844	1668	RdrCEF.exe	83
PID 1668 wrote to memory of 4844	1668	RdrCEF.exe	83
PID 1668 wrote to memory of 4844	1668	RdrCEF.exe	83
PID 1668 wrote to memory of 4844	1668	RdrCEF.exe	83
PID 1668 wrote to memory of 4844	1668	RdrCEF.exe	83
PID 1668 wrote to memory of 4844	1668	RdrCEF.exe	83
PID 1668 wrote to memory of 4844	1668	RdrCEF.exe	83
PID 1668 wrote to memory of 4844	1668	RdrCEF.exe	83
PID 1668 wrote to memory of 4844	1668	RdrCEF.exe	83
PID 1668 wrote to memory of 4844	1668	RdrCEF.exe	83
PID 1668 wrote to memory of 4844	1668	RdrCEF.exe	83

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1b67125f73769d4b909fc2253ddf9de1_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B87B8E5EE116EA155F6D33672C3967FF --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:836
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AE5D91DC6E7C4495C1963A01AA2BC8EB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AE5D91DC6E7C4495C1963A01AA2BC8EB --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4844
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=24DE659409DA81004DCAD5CC103F074E --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2056
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=451F5511E28A7492324820E51A1204EB --mojo-platform-channel-handle=1948 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5080
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C92A03D5E0F61249B48C493B02ED53AC --mojo-platform-channel-handle=2408 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2812
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A43EAEF7BE5C779EE1B24AB78835EB9E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A43EAEF7BE5C779EE1B24AB78835EB9E --renderer-client-id=8 --mojo-platform-channel-handle=2416 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
55e9014d81c6a6153d86d5ffd3b93228

SHA1
37168c8af51ce3320e2b45f877c7f96456894021

SHA256
c179f8f3ef8c1d5f8146bd1c6d246c2535e415b2031c7e09c344f4501b331b86

SHA512
05628e70443884fee05fd2b3e146c89a0b8042af6efae728afe85e395ed8decf9efacffcc4786276f8dc75f36a7ea2cf943bc83ff7e13f34da85fd3f6bbbecb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
054dde48166fc17fd8f787d26b813425

SHA1
a800814c082c0bef022de562df6913a4ffce1d7c

SHA256
3e74e24d6bda6ed18ae16ff44892702f8f4516a7c13fd85390f1c38d07832379

SHA512
d4f8e5bcddbe1c980b5c938b21ce8a4612be916d1ece988299173113a276b13712ebf218224789b33c27227b96a35717ed8819cc03e1599b3aae1138fd14943b

Download Submit