4deb3a00934e2d3160f5047db040a3f23ae17bfb1a646901e740a9c9e92a84df

Analysis

max time kernel
141s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 06:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

24ea19b46a10624a9e17c3c08538d3f9_JaffaCakes118.pdf
Size

110KB
MD5

24ea19b46a10624a9e17c3c08538d3f9
SHA1

af7897b3042f732bbb91807fee918e10400e1b7e
SHA256

4deb3a00934e2d3160f5047db040a3f23ae17bfb1a646901e740a9c9e92a84df
SHA512

03a133122bfd40ca66fb5c2b9eb1fe6161ef1424b4d913c03dc5a2d9efdbfc20b6102f0a9137d387c7069c75573b610c0c2fbc200dd022da9ba2b3fc855378dc
SSDEEP

768:DkdWZSVsV1YPveYmYGbLB/vbQNK775BoQ4mijVJipEhiD6T+bIxp0sO9PGVigGZw:U

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2468	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe
2468	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 3796	2468	AcroRd32.exe	81
PID 2468 wrote to memory of 3796	2468	AcroRd32.exe	81
PID 2468 wrote to memory of 3796	2468	AcroRd32.exe	81
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 2480	3796	RdrCEF.exe	82
PID 3796 wrote to memory of 4428	3796	RdrCEF.exe	83
PID 3796 wrote to memory of 4428	3796	RdrCEF.exe	83
PID 3796 wrote to memory of 4428	3796	RdrCEF.exe	83
PID 3796 wrote to memory of 4428	3796	RdrCEF.exe	83
PID 3796 wrote to memory of 4428	3796	RdrCEF.exe	83
PID 3796 wrote to memory of 4428	3796	RdrCEF.exe	83
PID 3796 wrote to memory of 4428	3796	RdrCEF.exe	83
PID 3796 wrote to memory of 4428	3796	RdrCEF.exe	83
PID 3796 wrote to memory of 4428	3796	RdrCEF.exe	83
PID 3796 wrote to memory of 4428	3796	RdrCEF.exe	83
PID 3796 wrote to memory of 4428	3796	RdrCEF.exe	83
PID 3796 wrote to memory of 4428	3796	RdrCEF.exe	83
PID 3796 wrote to memory of 4428	3796	RdrCEF.exe	83
PID 3796 wrote to memory of 4428	3796	RdrCEF.exe	83
PID 3796 wrote to memory of 4428	3796	RdrCEF.exe	83
PID 3796 wrote to memory of 4428	3796	RdrCEF.exe	83
PID 3796 wrote to memory of 4428	3796	RdrCEF.exe	83
PID 3796 wrote to memory of 4428	3796	RdrCEF.exe	83
PID 3796 wrote to memory of 4428	3796	RdrCEF.exe	83
PID 3796 wrote to memory of 4428	3796	RdrCEF.exe	83

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\24ea19b46a10624a9e17c3c08538d3f9_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5FE7BCAEF943A02B6780A8B48E789D4A --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2480
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CEFD00AEC5C3BB3FA0CB591E6AB15C3C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CEFD00AEC5C3BB3FA0CB591E6AB15C3C --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4428
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B06890DF9EF4923F775B4527C8A82C17 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4120
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8879F95EE0E96148DFD527E49686A2B5 --mojo-platform-channel-handle=1800 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2908
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F1F29460FAC9C169209D02BEF1B31E58 --mojo-platform-channel-handle=2376 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5084
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BEE1C4003070953DC6F13DD8C20F9FA6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BEE1C4003070953DC6F13DD8C20F9FA6 --renderer-client-id=8 --mojo-platform-channel-handle=2420 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
8f7bdb55e81572c735924843b6d0b533

SHA1
13c26bf5c22c46ac071fba5c3aefc4c99583512f

SHA256
437e8df11015395e5ed304b966af8c8475131480434e19fe82f4d0d990c188b7

SHA512
2c99d2b18fd140c87cd87b6bd1d682038e8de8fa09ec346c091d25c72a466a5f947845276493942b4f90620d4ca8a2a05364e8000a74bdf654a29cd06e623832

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
e2bd3b06b94dbcb3ea5a4777539d157f

SHA1
aec569d5a612a25db9549d8e8137bdfb109c50be

SHA256
037459b0860e08d636d5eb6aa0ef88db96c545a6c1754c640ccfc7ff986a8761

SHA512
53a3dcde7c2826b0b9735597a42de8051ff9f38395d7d410b04eb6c9528f661bd1ad6e0f79c604bbe517bb0867950e39ef266195ae251bb1fdbb228c67c1de6d

Download Submit