6a6d779fadae46610e9e69c617339e8ebcd49d34bcbb00e4ee4b00f53ff523b4

Analysis

max time kernel
93s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1acb444663af612a3b48653470ed1cc4_JaffaCakes118.pdf
Size

101KB
MD5

1acb444663af612a3b48653470ed1cc4
SHA1

ea7bd4b648698a24bee5141ad697946e69d9af45
SHA256

6a6d779fadae46610e9e69c617339e8ebcd49d34bcbb00e4ee4b00f53ff523b4
SHA512

9d385fa84bfce8f048431999da3820daf826de8e0fc51d37eb1f9e362e799a3f1f582d5e4a838cb695f6a5bcea84e1865df30c3074266da6d8f2753b0ddeb4f8
SSDEEP

3072:raU1RWZnxZdKsZkH6HSfUSUKvTlE1F0RW5Uig:rvRKDdKb6OU9EBvB

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

AcroRd32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4712 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

4712 AcroRd32.exe
4712 AcroRd32.exe
4712 AcroRd32.exe
4712 AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

pid	process
4712	AcroRd32.exe

pid	process
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe
4712	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4712 wrote to memory of 4396	4712	AcroRd32.exe	RdrCEF.exe
PID 4712 wrote to memory of 4396	4712	AcroRd32.exe	RdrCEF.exe
PID 4712 wrote to memory of 4396	4712	AcroRd32.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 2892	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4180	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4180	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4180	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4180	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4180	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4180	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4180	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4180	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4180	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4180	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4180	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4180	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4180	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4180	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4180	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4180	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4180	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4180	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4180	4396	RdrCEF.exe	RdrCEF.exe
PID 4396 wrote to memory of 4180	4396	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1acb444663af612a3b48653470ed1cc4_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4712

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:4396

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8E709DD90A75348E2D6242A46E19364E --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2892

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C04DEA33F522C528257EDF029D9F75ED --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C04DEA33F522C528257EDF029D9F75ED --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4180

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=22300FE3A37CF20740CE8F92AB9C9C77 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1756

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=837100FC85934A0EDBEB4319755811F7 --mojo-platform-channel-handle=1960 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1172

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A93F7554D870DF87B08C014A3998C615 --mojo-platform-channel-handle=1972 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3228

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D7E51311D935A9D78DD6B2CAB58F66F0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D7E51311D935A9D78DD6B2CAB58F66F0 --renderer-client-id=8 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
659c4c68bfb2883b8f5e88a881b27468

SHA1
c6c0258bded872218e99949c0c90d557d2c079d2

SHA256
81b8f5b745b1da9a6a741254802d7aad488429cadc35fa3412fe32d32eda2cbe

SHA512
c6956239a4e8f4565b363395c8d41846d4ddca670906a733a746fb57cbad6fc6dafe1f1e79846033bf57f27be98c476ec938319d52d30484246c72357a021a6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
ff3f90f7236efda119ab303c620cd0ff

SHA1
75dabf3cefd5caa3582288536966251463bc7953

SHA256
a8fcaf711db4671cde1e9435ef39dd18d75d9df2c661856c35271e40632cf4e9

SHA512
f63ece89d87083645c1055631d8f0995b361d5a2a88e284699257c10f52e1dde33a341382312bb018066ed02c69cc9f404f608a4976a15815ac1ec819e7b2940

Download Submit