c39a962ee12d3e986b134147d75ce995fee889de667f78f629c05dcf72317fe8

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25427e9d9cf14f6c9a3619ab36da7f60_JaffaCakes118.pdf
Size

24KB
MD5

25427e9d9cf14f6c9a3619ab36da7f60
SHA1

2205fa576552c674d5747c76644f36694b9bf77d
SHA256

c39a962ee12d3e986b134147d75ce995fee889de667f78f629c05dcf72317fe8
SHA512

b3771f5c596dd1d49bcdda5b12fec0dbbfcbc3747ecd68971fb7b36c1c2e5ed9f72afcad25789d3b1779e44d500e9e8b9993b1878cab40a56858ef17194db87a
SSDEEP

96:WEDsNyvV0c645vFB+OlybcxMFizBQouMFizBQoj3KrOLJnVDceQj2KnSnZ1WjnYG:WysNAbl6yxyJYyNv/u7UL6RA49NP4X+

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2932	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe
2932	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 3444	2932	AcroRd32.exe	81
PID 2932 wrote to memory of 3444	2932	AcroRd32.exe	81
PID 2932 wrote to memory of 3444	2932	AcroRd32.exe	81
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4748	3444	RdrCEF.exe	82
PID 3444 wrote to memory of 4816	3444	RdrCEF.exe	83
PID 3444 wrote to memory of 4816	3444	RdrCEF.exe	83
PID 3444 wrote to memory of 4816	3444	RdrCEF.exe	83
PID 3444 wrote to memory of 4816	3444	RdrCEF.exe	83
PID 3444 wrote to memory of 4816	3444	RdrCEF.exe	83
PID 3444 wrote to memory of 4816	3444	RdrCEF.exe	83
PID 3444 wrote to memory of 4816	3444	RdrCEF.exe	83
PID 3444 wrote to memory of 4816	3444	RdrCEF.exe	83
PID 3444 wrote to memory of 4816	3444	RdrCEF.exe	83
PID 3444 wrote to memory of 4816	3444	RdrCEF.exe	83
PID 3444 wrote to memory of 4816	3444	RdrCEF.exe	83
PID 3444 wrote to memory of 4816	3444	RdrCEF.exe	83
PID 3444 wrote to memory of 4816	3444	RdrCEF.exe	83
PID 3444 wrote to memory of 4816	3444	RdrCEF.exe	83
PID 3444 wrote to memory of 4816	3444	RdrCEF.exe	83
PID 3444 wrote to memory of 4816	3444	RdrCEF.exe	83
PID 3444 wrote to memory of 4816	3444	RdrCEF.exe	83
PID 3444 wrote to memory of 4816	3444	RdrCEF.exe	83
PID 3444 wrote to memory of 4816	3444	RdrCEF.exe	83
PID 3444 wrote to memory of 4816	3444	RdrCEF.exe	83

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\25427e9d9cf14f6c9a3619ab36da7f60_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B7BFE3BC709675907536B37D96165842 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4748
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=64C6D250A1614D64BDFD755EC332C1E3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=64C6D250A1614D64BDFD755EC332C1E3 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4816
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FB37157C952F31D52B505F10AB2B39DC --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4932
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E35621B255BAFA36E6857995A53F33F6 --mojo-platform-channel-handle=1824 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3432
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=832C2254B4E164C6906A097ED5DA986B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=832C2254B4E164C6906A097ED5DA986B --renderer-client-id=6 --mojo-platform-channel-handle=2452 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:2736
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3036EE526A0F26437218535AC2BDBD5D --mojo-platform-channel-handle=2668 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
0bae23f1bc816051087c769c69a3a9ca

SHA1
f5e5ded68ff8a55524b10dbfcea69d85a70d8ff2

SHA256
e6002239c177a99bd8a5ba0f603cd926bd301fe126f244ced1fc420b62f4c7ed

SHA512
2504814591a467084d295edfe929e8698d487a35ac50d5fdadd383d7ce3f2cee6ff3a479b98dbe63adb63b0024a4911ff491b1d6de0fd35c3e72229f31a51356

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
491a1effcd16c17c81ef8f2477860be2

SHA1
01128dc76c7eadb716682739e4a9486e9f2e6532

SHA256
bf3e90a3676c487cb0e41a6b180295a3ebef20f17ba43ef51b02e385e63e6e4b

SHA512
a53492e42fe649dd81f55e56b3f454b57bada2742251b87b4fcebe38ca117aaa1c274842f4f5676bea759c9bf8361251ef3802d0759b67a4b7aadcbee874ffb1

Download Submit