darkcomet | 5663bb62c67c6453f5dc4f0e395faa9219f6397efcf86c0f49d48114825c3488

Analysis

max time kernel
93s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Size

848KB
MD5

f4aa4319e9665a8e361b1698ed0bd7d5
SHA1

9f0ba090549177dca85ec622459464b37c5505e1
SHA256

5663bb62c67c6453f5dc4f0e395faa9219f6397efcf86c0f49d48114825c3488
SHA512

be6421f468b4ecdf8cf3afcb123daf7c80186b058e3526ba34995afab1b9af9fbbc4fef52684e0efc1d88e67fbe7348d9e9f89d28c55d485f0fe5dce37aaa3f6
SSDEEP

12288:va2jkl3B7hfDZcQ+vLVeJL1eqdIgP5tG4N5/aasLFfvFRyCQGib8tQQ8lOJ3ebVn:vaEkVZyVk8Y5N5iZvFRAAalOJ3Sjx5

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe"	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exenotepad.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	notepad.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1444 set thread context of 1268	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	90

Drops file in Windows directory 1 IoCs

Processes:

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

description	ioc	Process
File opened for modification	C:\Windows\PCGWIN32.LI5	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

Modifies registry class 3 IoCs

Processes:

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{28323C1A-37967678-09382627-B2851B0A}	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{28323C1A-37967678-09382627-B2851B0A}\ = 2ebfaa91c38b2c2fba3a0f49619c7c684b83a62982b866c8eda03b4e8ee53a6fb73a3dcf778532e3c1567f1dcaeb784637a3c251765cb3e949184091915ba36e699ba096305cb3d709128091f657c212e9af3fc5758c8c7a7a0f779af29630dcc4691f44aaf3070162f347ce327a7f8fca65ff7075f9b0f33eb6caf2b6620af6598e68e459f150bb9fb6aa8c18662de3b85172207fa98aa4b9d00b54c11d88a8cada54912d5bb82ef0a5b5ff73b53e804a84df4cd59b50d193ef1e9a95eed39a9e97aa9d9f6b959e53d496dedcd516dfdcea17c692d32f215a776f425a49978492de10d41b9f96959dac2b983e684bbbe6318d88271c6d95241fe1aaa3c006f663c33e390b4f5e7aab71868062c4e1fc68b7c58d40b8f172b4cf005a1b2f56ba9db6a8033ae6ceecbb7bf18e4b057eecf598f0d4805dde14abee596514906256d75dddd468ef41a5cca0fa8e897adbc951231cae953a9c8fea251e63ea26c11d776b72863f9c75170c12c7a16d8fa41a5c29578092ae96e423331e0654a391a993df616abc0108c7d84297b92d4b5bbe560a538796cddca72a4dfec40b5266276dd258989515a02c3478318f7885895f5bea962012e4d0c3ab39010c43f9167713c21ea6eb7239ffb0353ebc8b341972ac71c474de7deb48e1812cbb270efd2508b05946685d45a84ce49922d721ddac94a7ee0d842440b1117ba04eec9bb9d18fd0c5e440df7b15f61cfca94b849edc6a2a810707a3e8c42ddb5ad9d8021d4c094184c54c9d192748d73c0cf6b96b49d64670f2ec3199e55494c6157855baaf36d7c200a1fa03cf59251420d1b36379967012f5ee3c9bc9e9ff470a727301527b17f612cc1f9b2ae9f85f712afc87b5924f16da2d6958fcd3b5ee03642e8da5678c9218d6ecdd99d7d712ad5998acd2852643c286f9334bfebeca4a5f41aaf8210accb9fa370f4d7a04b7114d24642dfd38c837befdca08a1a1b347c1720c8925dbff2e4ae5fff34a4e21bbfb0e4ee5e5936ce919a090a4d2cca0797c08f5c23fa98aff5e7515405fe1eaec86a44cdc0797726d31c4cf0d9af8e8ca44071362e671527899b117b0ed30e40b00861542a0114ea06589b003b5d17394ce205b392e74a5bdbf770a8207164d9da4176e929b282e7cfb37b132c74062b929b39c71d6b4dcfceb0ac10700d2776072fd398b701ec76bd226a80dda78aff5a5f0b0427aa1f11f30d5f1ec0b244103a4cebc1a0b68fe7df4484f619a78178bd2d9d6d31dee28daa72f7d5a0891a190d754dd91e8ef1eda6aee6725525c6155782c771b421687ddfd170b5df9683421817343c66e8cdb44eedd64574fd2da6e1105d8bc28ca58d955931ce929b86088e3e6967d6274190f533a2670038369a1d84ba8c6051c2cd4bb11b194c76c1225dfbc15b5633f86f562b0990c2864bf510a6447bd02cbc0f94db498c26850431faeaac49fd115d3dfd6eaec46277362c67f1d4ad459e25409af64ba933696c21ca7d4ed91a7dfa295a89cbdd68b1ca62b82be704a87670de2b8c1f2a7fea2cbb8397008f5c1032faeba1a0e687a3d7734420d47d852129999ab6b797ef0b57abfc9755ff0ea7a863703c2367072f1ffbbb57100046fb31a8e2fda3a28f01b77d6822c6885bf6ff51a035026d5edef077a5d4f68da6116ac9dc4170092e0d0c5e80fc11ae3d7366d73f8beb2b546430dae84c4bd130bd6f9dcb429c07854712f78ba49f0bcfb88c9601cf9294be31e4e95e5ac5024d7d052a92f279a02a867fcf209c9209fc8aa3bc68e721b475632234e26fb23c9e9b864b68d8d678782a2f046f0c3c91e23ab717940740b8f619a34563fad0ac739f234b6f1c2034f9e3a14c8509b6b113e6b351e7cebb5a1bcf74ab2818820ded76bad6618f313015984ec42da29918097e2dd90686a1de1a867c20288af9de5ab80a6906293d16914c4af7d3ac8b79fcd55b82c74b931b7b0fd80741d0f28e5b96cb787025d3768b2f94e0865e5b00ffc9a34103391f6e77c8dcb6779c2f42eb0fa74cfcf65654ccce544e0fd6a8b6706321d406b03c60e9c3b6a0effda75110058b56bc35eee95dad3e9ee07846dc0a4a9be5b4a2ec7bb4db11838afcfc5a5acff588a17a6928da64703921e275482a10fb77a0209ff1cf5294c20a7193228f7ffcd35584f6b7ae637327df0f4398c70198554bc2d08fb394e709b8d1684a31026e06d9358e92967043223f7f64d3ce47462b1efbfa50a7339c67302be89b43f728ab7c03d80f742c21f08aa5ad869d304a90fdf7aaab7a6b2930051e0d0db291184204cb15bb8aef2850643e286f9334bfe9eca6a594190b81d8ed43bac36258320b164f7f132cb39bef7b4328f416584f050436b2ea685c29307e9323cce0905a0a09640e2116fa81aa7afed853b00c9e7fcfd74484f633ade372a32def6eb0361ae9044644da1c4ff130aee19c4902fac3a2589cc9fd82a6bc19eff2b4a86bfd275a74c6de718d25096d993ebd99e57945293e16924e4bf530ae647bd324bf0fe4f0bdae6a9dc471512606043df2e955b632ede1b54162113e0e6746cfdfb777132f8bf8cf578803188b0fac24fdf1ad5d010a9293fff750a0c4127b45d7094b99ccf6a258720cd81db8caee6c4028cce9905938ca65a9c2f565aad173bdd8e6804dd50682d2718dd2b5406af3d45089c212a04fecc8b07e182974ea21ba8ae5ec495a1ef43e52e9044d0c1988b933ee14b33660e0dbb448ef104f4d0729f89157f5f8a2ae63ff30af1c1047b0fcec56420ff49b5a000545161189c11a9245fccaa25e6bc130be65ed21569205c5b1796226c115b1caed4e421335c0657b352b997f7a2023e01ca80d97e2f7545f08cf8864f7c7a8bf7013da8b43a708f77e5f283fe8e8b84f9428fcf9a45902c9b99a9eb5fdeeaea6621136ca665bd503757cd528469325c78a931a0047042b7f932cbff9ef5ea7ca68b5259e7500dd998ec54a613dc61571812d5a75fadea0458efede5474cd2596e10255dbc28b7dafdaf4bc55e6feb7ae6319c7b970edddb2b912614d323214980fc48b401037766c203de0eab05d9c3ab4e869b9c695698ddd62b12e111c4e810241daf94259f9c1516109391e157f752f2e9080003a3f6514218af912590df16ea23784e8dc567e092781f89ea5bde5615e350d15fa82ac039727331febcb48b4e39e5302fbdba8808fa7c4e755b7cd6b7d3cd51c758a2d79e1295e7630dae98da2ee95aff510a68019fef953a204ff37a89312000515054ed1fc76a720789327f474aa2e19f3055f1e00b2ba69e5c2b15a6ac23ba86c8fc39c9f0bbfcb6358c7ca789bd5b4baec62462a3c1c9a7c302f67902343f338a067edc3515406c1359e9286405bf3075034c2ea705dd30280d3ddbb42e425b1756a25d8ea805dcdc2ba8e63bdc362b837e51752c0c7a7b0ff61acd178712dd2154182d139816e8d2be598becc1bb3f310a34f9410fecbae536a3bdc1cb80c1aea4e4d021aa0899fcef4925e41c6f95faa049de3c6af47f71cacc0785d25310deaf2b25fe53341eb1eb03796988440003bd06f7038d0ea41bbe2e74058f2cc51b3f160a1399e16f707affb18acf38fa358e70fa81779c0228c0da67d1926b199ed414909fd4	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{28323C1A-37967678-09382627-B2851B0A}\ = fa5f9cd4c38b2c2fba3a0f49619c7c684b83a62982b866c8eda03b4e8ee53a6fb73a3dcf778532e3c1567f1dcaeb784637a3c251765cb3e949184091915ba36e699ba096305cb3d709128091f657c212e9af3fc5758c8c7a7a0f779af29630dcc4691f44aaf3070162f347ce327a7f8fca65ff7075f9b0f33eb6caf2b6620af6598e68e459f150bb9fb6aa8c18662de3b85172207fa98aa4b9d00b54c11d88a8cdda54912d5bb82ef0a5b5ff73b53e804a84df4cd59b50d193ef1e9a95eed39a9e97aa9d9f6b959e53d496dedcd516dfdcea17c692d32f215a776f425a49978492de10d41b9f96959dac2b983e684bbbe6318d88271c6d95241fe1aaa3c006f663c33e390b4f5e7aab71868062c4e1fc68b7c58d40b8f172b4cf005a1b2f56ba9db6a8033ae6ceecbb7bf18e4b057eecf598f0d4805dde14abee596514906256d75dddd468ef41a5cca0fa8e897adbc951231cae953a9c8fea251e63ea26c11d776b72863f9c75170c12c7a16d8fa41a5c29578092ae96e423331e0654a391a993df616abc0108c7d84297b92d4b5bbe560a538796cddca72a4dfec40b5266276dd258989515a02c3478318f7885895f5bea962012e4d0c3ab39010c43f9167713c21ea6eb7239ffb0353ebc8b341972ac71c474de7deb48e1812cbb270efd2508b05946685d45a84ce49922d721ddac94a7ee0d842440b1117ba04eec9bb9d18fd0c5e440df7b15f61cfca94b849edc6a2a810707a3e8c42ddb5ad9d8021d4c094184c54c9d192748d73c0cf6b96b49d64670f2ec3199e55494c6157855baaf36d7c200a1fa03cf59251420d1b36379967012f5ee3c9bc9e9ff470a727301527b17f612cc1f9b2ae9f85f712afc87b5924f16da2d6958fcd3b5ee03642e8da5678c9218d6ecdd99d7d712ad5998acd2852643c286f9334bfebeca4a5f41aaf8210accb9fa370f4d7a04b7114d24642dfd38c837befdca08a1a1b347c1720c8925dbff2e4ae5fff34a4e21bbfb0e4ee5e5936ce919a090a4d2cca0797c08f5c23fa98aff5e7515405fe1eaec86a44cdc0797726d31c4cf0d9af8e8ca44071362e671527899b117b0ed30e40b00861542a0114ea06589b003b5d17394ce205b392e74a5bdbf770a8207164d9da4176e929b282e7cfb37b132c74062b929b39c71d6b4dcfceb0ac10700d2776072fd398b701ec76bd226a80dda78aff5a5f0b0427aa1f11f30d5f1ec0b244103a4cebc1a0b68fe7df4484f619a78178bd2d9d6d31dee28daa72f7d5a0891a190d754dd91e8ef1eda6aee6725525c6155782c771b421687ddfd170b5df9683421817343c66e8cdb44eedd64574fd2da6e1105d8bc28ca58d955931ce929b86088e3e6967d6274190f533a2670038369a1d84ba8c6051c2cd4bb11b194c76c1225dfbc15b5633f86f562b0990c2864bf510a6447bd02cbc0f94db498c26850431faeaac49fd115d3dfd6eaec46277362c67f1d4ad459e25409af64ba933696c21ca7d4ed91a7dfa295a89cbdd68b1ca62b82be704a87670de2b8c1f2a7fea2cbb8397008f5c1032faeba1a0e687a3d7734420d47d852129999ab6b797ef0b57abfc9755ff0ea7a863703c2367072f1ffbbb57100046fb31a8e2fda3a28f01b77d6822c6885bf6ff51a035026d5edef077a5d4f68da6116ac9dc4170092e0d0c5e80fc11ae3d7366d73f8beb2b546430dae84c4bd130bd6f9dcb429c07854712f78ba49f0bcfb88c9601cf9294be31e4e95e5ac5024d7d052a92f279a02a867fcf209c9209fc8aa3bc68e721b475632234e26fb23c9e9b864b68d8d678782a2f046f0c3c91e23ab717940740b8f619a34563fad0ac739f234b6f1c2034f9e3a14c8509b6b113e6b351e7cebb5a1bcf74ab2818820ded76bad6618f313015984ec42da29918097e2dd90686a1de1a867c20288af9de5ab80a6906293d16914c4af7d3ac8b79fcd55b82c74b931b7b0fd80741d0f28e5b96cb787025d3768b2f94e0865e5b00ffc9a34103391f6e77c8dcb6779c2f42eb0fa74cfcf65654ccce544e0fd6a8b6706321d406b03c60e9c3b6a0effda75110058b56bc35eee95dad3e9ee07846dc0a4a9be5b4a2ec7bb4db11838afcfc5a5acff588a17a6928da64703921e275482a10fb77a0209ff1cf5294c20a7193228f7ffcd35584f6b7ae637327df0f4398c70198554bc2d08fb394e709b8d1684a31026e06d9358e92967043223f7f64d3ce47462b1efbfa50a7339c67302be89b43f728ab7c03d80f742c21f08aa5ad869d304a90fdf7aaab7a6b2930051e0d0db291184204cb15bb8aef2850643e286f9334bfe9eca6a594190b81d8ed43bac36258320b164f7f132cb39bef7b4328f416584f050436b2ea685c29307e9323cce0905a0a09640e2116fa81aa7afed853b00c9e7fcfd74484f633ade372a32def6eb0361ae9044644da1c4ff130aee19c4902fac3a2589cc9fd82a6bc19eff2b4a86bfd275a74c6de718d25096d993ebd99e57945293e16924e4bf530ae647bd324bf0fe4f0bdae6a9dc471512606043df2e955b632ede1b54162113e0e6746cfdfb777132f8bf8cf578803188b0fac24fdf1ad5d010a9293fff750a0c4127b45d7094b99ccf6a258720cd81db8caee6c4028cce9905938ca65a9c2f565aad173bdd8e6804dd50682d2718dd2b5406af3d45089c212a04fecc8b07e182974ea21ba8ae5ec495a1ef43e52e9044d0c1988b933ee14b33660e0dbb448ef104f4d0729f89157f5f8a2ae63ff30af1c1047b0fcec56420ff49b5a000545161189c11a9245fccaa25e6bc130be65ed21569205c5b1796226c115b1caed4e421335c0657b352b997f7a2023e01ca80d97e2f7545f08cf8864f7c7a8bf7013da8b43a708f77e5f283fe8e8b84f9428fcf9a45902c9b99a9eb5fdeeaea6621136ca665bd503757cd528469325c78a931a0047042b7f932cbff9ef5ea7ca68b5259e7500dd998ec54a613dc61571812d5a75fadea0458efede5474cd2596e10255dbc28b7dafdaf4bc55e6feb7ae6319c7b970edddb2b912614d323214980fc48b401037766c203de0eab05d9c3ab4e869b9c695698ddd62b12e111c4e810241daf94259f9c1516109391e157f752f2e9080003a3f6514218af912590df16ea23784e8dc567e092781f89ea5bde5615e350d15fa82ac039727331febcb48b4e39e5302fbdba8808fa7c4e755b7cd6b7d3cd51c758a2d79e1295e7630dae98da2ee95aff510a68019fef953a204ff37a89312000515054ed1fc76a720789327f474aa2e19f3055f1e00b2ba69e5c2b15a6ac23ba86c8fc39c9f0bbfcb6358c7ca789bd5b4baec62462a3c1c9a7c302f67902343f338a067edc3515406c1359e9286405bf3075034c2ea705dd30280d3ddbb42e425b1756a25d8ea805dcdc2ba8e63bdc362b837e51752c0c7a7b0ff61acd178712dd2154182d139816e8d2be598becc1bb3f310a34f9410fecbae536a3bdc1cb80c1aea4e4d021aa0899fcef4925e41c6f95faa049de3c6af47f71cacc0785d25310deaf2b25fe53341eb1eb03796988440003bd06f7038d0ea41bbe2e74058f2cc51b3f160a1399e16f707affb18acf38fa358e70fa81779c0228c0da67d1926b199ed414909fd4	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeSecurityPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeBackupPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeRestorePrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeShutdownPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeDebugPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeUndockPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: 33	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: 34	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: 35	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: 36	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	83
PID 1444 wrote to memory of 1268	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	90
PID 1444 wrote to memory of 1268	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	90
PID 1444 wrote to memory of 1268	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	90
PID 1444 wrote to memory of 1268	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	90
PID 1444 wrote to memory of 1268	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - Adds Run key to start application
  PID:5092
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\PCGWIN32.LI5

Filesize
2KB

MD5
d8b37842c7ea650e35ab34a6f0581e6d

SHA1
84324031bb44aa56d19b78892b38371fe830d11e

SHA256
0d15d81daa2b1295954e00eb51388d119f2248238e940b24973508bfb083435d

SHA512
793d21a65685ca1a92ddc6f79ac48a74e9651a9579892405913b9a628d0425bb6ec4c4857587f93c8f1080481db9480fab7b71eb4d0ef571839d9d4022976cb5

Download Submit
C:\Windupdt\winupdate.exe

Filesize
848KB

MD5
f4aa4319e9665a8e361b1698ed0bd7d5

SHA1
9f0ba090549177dca85ec622459464b37c5505e1

SHA256
5663bb62c67c6453f5dc4f0e395faa9219f6397efcf86c0f49d48114825c3488

SHA512
be6421f468b4ecdf8cf3afcb123daf7c80186b058e3526ba34995afab1b9af9fbbc4fef52684e0efc1d88e67fbe7348d9e9f89d28c55d485f0fe5dce37aaa3f6

Download Submit
memory/1268-19-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/1268-22-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/1268-20-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/1268-23-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/1268-24-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/1444-0-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/1444-12-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/1444-21-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/5092-14-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download