df31236bc22ce58ce19ca8ae16e15e3d7bd11210ed140a6ff6536f1f1744d797

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23363f283b3f9bb8268feb0168849675_JaffaCakes118.pdf
Size

24KB
MD5

23363f283b3f9bb8268feb0168849675
SHA1

2c6b4e63374979e6b63bc5b36d02efb5e230b21f
SHA256

df31236bc22ce58ce19ca8ae16e15e3d7bd11210ed140a6ff6536f1f1744d797
SHA512

b4ae592c07a9ec6d9508afa0f6b878f0070fd3c9d047a0c497fe339294165ca1e162ed106f677d0cab08c6c40939b1163637de9491f3608b419ebf4a4eedc878
SSDEEP

96:WEDsNyvV0c645vFB+OlybcxMFizBQo4MFizBQox3KrOLJnVDceQj2KnSnZ1WjnY2:WysNAbl6yryzYyu+EdAw/A49NP4X+

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5112	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe
5112	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 1808	5112	AcroRd32.exe	81
PID 5112 wrote to memory of 1808	5112	AcroRd32.exe	81
PID 5112 wrote to memory of 1808	5112	AcroRd32.exe	81
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 1868	1808	RdrCEF.exe	82
PID 1808 wrote to memory of 4516	1808	RdrCEF.exe	83
PID 1808 wrote to memory of 4516	1808	RdrCEF.exe	83
PID 1808 wrote to memory of 4516	1808	RdrCEF.exe	83
PID 1808 wrote to memory of 4516	1808	RdrCEF.exe	83
PID 1808 wrote to memory of 4516	1808	RdrCEF.exe	83
PID 1808 wrote to memory of 4516	1808	RdrCEF.exe	83
PID 1808 wrote to memory of 4516	1808	RdrCEF.exe	83
PID 1808 wrote to memory of 4516	1808	RdrCEF.exe	83
PID 1808 wrote to memory of 4516	1808	RdrCEF.exe	83
PID 1808 wrote to memory of 4516	1808	RdrCEF.exe	83
PID 1808 wrote to memory of 4516	1808	RdrCEF.exe	83
PID 1808 wrote to memory of 4516	1808	RdrCEF.exe	83
PID 1808 wrote to memory of 4516	1808	RdrCEF.exe	83
PID 1808 wrote to memory of 4516	1808	RdrCEF.exe	83
PID 1808 wrote to memory of 4516	1808	RdrCEF.exe	83
PID 1808 wrote to memory of 4516	1808	RdrCEF.exe	83
PID 1808 wrote to memory of 4516	1808	RdrCEF.exe	83
PID 1808 wrote to memory of 4516	1808	RdrCEF.exe	83
PID 1808 wrote to memory of 4516	1808	RdrCEF.exe	83
PID 1808 wrote to memory of 4516	1808	RdrCEF.exe	83

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\23363f283b3f9bb8268feb0168849675_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=38DEA97962474E72305B99702A863B19 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1868
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5F3AA5A4D3E1DC41A777EA5CD4934EEF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5F3AA5A4D3E1DC41A777EA5CD4934EEF --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4516
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6B3F7A83A6BC33E973B111D6FB7CE5AE --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2192
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=08ADA343EAF5ED86752BF838A0C786C9 --mojo-platform-channel-handle=1824 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1216
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7E371735649DE634FAD850D2042048C6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7E371735649DE634FAD850D2042048C6 --renderer-client-id=6 --mojo-platform-channel-handle=2336 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3756
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8C5A8096704DDF61C656AA010DB2B2C7 --mojo-platform-channel-handle=2412 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
58411c7139b6b6f0594590f27af9c358

SHA1
f1754c0915a13652d942c433da928dcffe8649fa

SHA256
e16643b1b5c2ab58c027d4c641eff881afaf81b51458f462178eb9335cb38ac7

SHA512
9826d2d34b537f64b9dc86ca2ecdec1b0741c396091a13ba8b54de2a587c131b184eb78de20a57077a42cb4a1a6bdc9145c756d71deef1007c8c0624c4773c66

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
ef64b00d2d5526bdc2c5b1834d93c4f6

SHA1
08307787ab2775e448edf9d06dfc3982a4590092

SHA256
fca8a321be6677c14119c1910573da2b05532d66c8e2e6474961385d6ddc83e2

SHA512
4f1c38066c16c7b7f971863a5ac8c876eb71bd117daf71501648ad159fcf3e226303e584505a0d86c0db50749393c781b681abd40814c65f29097eedbd344c06

Download Submit