darkcomet | 5663bb62c67c6453f5dc4f0e395faa9219f6397efcf86c0f49d48114825c3488

General

Target

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Size

848KB
MD5

f4aa4319e9665a8e361b1698ed0bd7d5
SHA1

9f0ba090549177dca85ec622459464b37c5505e1
SHA256

5663bb62c67c6453f5dc4f0e395faa9219f6397efcf86c0f49d48114825c3488
SHA512

be6421f468b4ecdf8cf3afcb123daf7c80186b058e3526ba34995afab1b9af9fbbc4fef52684e0efc1d88e67fbe7348d9e9f89d28c55d485f0fe5dce37aaa3f6
SSDEEP

12288:va2jkl3B7hfDZcQ+vLVeJL1eqdIgP5tG4N5/aasLFfvFRyCQGib8tQQ8lOJ3ebVn:vaEkVZyVk8Y5N5iZvFRAAalOJ3Sjx5

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe"	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exenotepad.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	notepad.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

description pid process target process

PID 1444 set thread context of 1268 1444 f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe explorer.exe
Drops file in Windows directory 1 IoCs

Processes:

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\PCGWIN32.LI5 f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

description	pid	process	target process
PID 1444 set thread context of 1268	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	explorer.exe

description	ioc	process
File opened for modification	C:\Windows\PCGWIN32.LI5	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

Modifies registry class 3 IoCs

Processes:

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{28323C1A-37967678-09382627-B2851B0A}	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{28323C1A-37967678-09382627-B2851B0A}\ = 2ebfaa91c38b2c2fba3a0f49619c7c684b83a62982b866c8eda03b4e8ee53a6fb73a3dcf778532e3c1567f1dcaeb784637a3c251765cb3e949184091915ba36e699ba096305cb3d709128091f657c212e9af3fc5758c8c7a7a0f779af29630dcc4691f44aaf3070162f347ce327a7f8fca65ff7075f9b0f33eb6caf2b6620af6598e68e459f150bb9fb6aa8c18662de3b85172207fa98aa4b9d00b54c11d88a8cada54912d5bb82ef0a5b5ff73b53e804a84df4cd59b50d193ef1e9a95eed39a9e97aa9d9f6b959e53d496dedcd516dfdcea17c692d32f215a776f425a49978492de10d41b9f96959dac2b983e684bbbe6318d88271c6d95241fe1aaa3c006f663c33e390b4f5e7aab71868062c4e1fc68b7c58d40b8f172b4cf005a1b2f56ba9db6a8033ae6ceecbb7bf18e4b057eecf598f0d4805dde14abee596514906256d75dddd468ef41a5cca0fa8e897adbc951231cae953a9c8fea251e63ea26c11d776b72863f9c75170c12c7a16d8fa41a5c29578092ae96e423331e0654a391a993df616abc0108c7d84297b92d4b5bbe560a538796cddca72a4dfec40b5266276dd258989515a02c3478318f7885895f5bea962012e4d0c3ab39010c43f9167713c21ea6eb7239ffb0353ebc8b341972ac71c474de7deb48e1812cbb270efd2508b05946685d45a84ce49922d721ddac94a7ee0d842440b1117ba04eec9bb9d18fd0c5e440df7b15f61cfca94b849edc6a2a810707a3e8c42ddb5ad9d8021d4c094184c54c9d192748d73c0cf6b96b49d64670f2ec3199e55494c6157855baaf36d7c200a1fa03cf59251420d1b36379967012f5ee3c9bc9e9ff470a727301527b17f612cc1f9b2ae9f85f712afc87b5924f16da2d6958fcd3b5ee03642e8da5678c9218d6ecdd99d7d712ad5998acd2852643c286f9334bfebeca4a5f41aaf8210accb9fa370f4d7a04b7114d24642dfd38c837befdca08a1a1b347c1720c8925dbff2e4ae5fff34a4e21bbfb0e4ee5e5936ce919a090a4d2cca0797c08f5c23fa98aff5e7515405fe1eaec86a44cdc0797726d31c4cf0d9af8e8ca44071362e671527899b117b0ed30e40b00861542a0114ea06589b003b5d17394ce205b392e74a5bdbf770a8207164d9da4176e929b282e7cfb37b132c74062b929b39c71d6b4dcfceb0ac10700d2776072fd398b701ec76bd226a80dda78aff5a5f0b0427aa1f11f30d5f1ec0b244103a4cebc1a0b68fe7df4484f619a78178bd2d9d6d31dee28daa72f7d5a0891a190d754dd91e8ef1eda6aee6725525c6155782c771b421687ddfd170b5df9683421817343c66e8cdb44eedd64574fd2da6e1105d8bc28ca58d955931ce929b86088e3e6967d6274190f533a2670038369a1d84ba8c6051c2cd4bb11b194c76c1225dfbc15b5633f86f562b0990c2864bf510a6447bd02cbc0f94db498c26850431faeaac49fd115d3dfd6eaec46277362c67f1d4ad459e25409af64ba933696c21ca7d4ed91a7dfa295a89cbdd68b1ca62b82be704a87670de2b8c1f2a7fea2cbb8397008f5c1032faeba1a0e687a3d7734420d47d852129999ab6b797ef0b57abfc9755ff0ea7a863703c2367072f1ffbbb57100046fb31a8e2fda3a28f01b77d6822c6885bf6ff51a035026d5edef077a5d4f68da6116ac9dc4170092e0d0c5e80fc11ae3d7366d73f8beb2b546430dae84c4bd130bd6f9dcb429c07854712f78ba49f0bcfb88c9601cf9294be31e4e95e5ac5024d7d052a92f279a02a867fcf209c9209fc8aa3bc68e721b475632234e26fb23c9e9b864b68d8d678782a2f046f0c3c91e23ab717940740b8f619a34563fad0ac739f234b6f1c2034f9e3a14c8509b6b113e6b351e7cebb5a1bcf74ab2818820ded76bad6618f313015984ec42da29918097e2dd90686a1de1a867c20288af9de5ab80a6906293d16914c4af7d3ac8b79fcd55b82c74b931b7b0fd80741d0f28e5b96cb787025d3768b2f94e0865e5b00ffc9a34103391f6e77c8dcb6779c2f42eb0fa74cfcf65654ccce544e0fd6a8b6706321d406b03c60e9c3b6a0effda75110058b56bc35eee95dad3e9ee07846dc0a4a9be5b4a2ec7bb4db11838afcfc5a5acff588a17a6928da64703921e275482a10fb77a0209ff1cf5294c20a7193228f7ffcd35584f6b7ae637327df0f4398c70198554bc2d08fb394e709b8d1684a31026e06d9358e92967043223f7f64d3ce47462b1efbfa50a7339c67302be89b43f728ab7c03d80f742c21f08aa5ad869d304a90fdf7aaab7a6b2930051e0d0db291184204cb15bb8aef2850643e286f9334bfe9eca6a594190b81d8ed43bac36258320b164f7f132cb39bef7b4328f416584f050436b2ea685c29307e9323cce0905a0a09640e2116fa81aa7afed853b00c9e7fcfd74484f633ade372a32def6eb0361ae9044644da1c4ff130aee19c4902fac3a2589cc9fd82a6bc19eff2b4a86bfd275a74c6de718d25096d993ebd99e57945293e16924e4bf530ae647bd324bf0fe4f0bdae6a9dc471512606043df2e955b632ede1b54162113e0e6746cfdfb777132f8bf8cf578803188b0fac24fdf1ad5d010a9293fff750a0c4127b45d7094b99ccf6a258720cd81db8caee6c4028cce9905938ca65a9c2f565aad173bdd8e6804dd50682d2718dd2b5406af3d45089c212a04fecc8b07e182974ea21ba8ae5ec495a1ef43e52e9044d0c1988b933ee14b33660e0dbb448ef104f4d0729f89157f5f8a2ae63ff30af1c1047b0fcec56420ff49b5a000545161189c11a9245fccaa25e6bc130be65ed21569205c5b1796226c115b1caed4e421335c0657b352b997f7a2023e01ca80d97e2f7545f08cf8864f7c7a8bf7013da8b43a708f77e5f283fe8e8b84f9428fcf9a45902c9b99a9eb5fdeeaea6621136ca665bd503757cd528469325c78a931a0047042b7f932cbff9ef5ea7ca68b5259e7500dd998ec54a613dc61571812d5a75fadea0458efede5474cd2596e10255dbc28b7dafdaf4bc55e6feb7ae6319c7b970edddb2b912614d323214980fc48b401037766c203de0eab05d9c3ab4e869b9c695698ddd62b12e111c4e810241daf94259f9c1516109391e157f752f2e9080003a3f6514218af912590df16ea23784e8dc567e092781f89ea5bde5615e350d15fa82ac039727331febcb48b4e39e5302fbdba8808fa7c4e755b7cd6b7d3cd51c758a2d79e1295e7630dae98da2ee95aff510a68019fef953a204ff37a89312000515054ed1fc76a720789327f474aa2e19f3055f1e00b2ba69e5c2b15a6ac23ba86c8fc39c9f0bbfcb6358c7ca789bd5b4baec62462a3c1c9a7c302f67902343f338a067edc3515406c1359e9286405bf3075034c2ea705dd30280d3ddbb42e425b1756a25d8ea805dcdc2ba8e63bdc362b837e51752c0c7a7b0ff61acd178712dd2154182d139816e8d2be598becc1bb3f310a34f9410fecbae536a3bdc1cb80c1aea4e4d021aa0899fcef4925e41c6f95faa049de3c6af47f71cacc0785d25310deaf2b25fe53341eb1eb03796988440003bd06f7038d0ea41bbe2e74058f2cc51b3f160a1399e16f707affb18acf38fa358e70fa81779c0228c0da67d1926b199ed414909fd4	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{28323C1A-37967678-09382627-B2851B0A}\ = fa5f9cd4c38b2c2fba3a0f49619c7c684b83a62982b866c8eda03b4e8ee53a6fb73a3dcf778532e3c1567f1dcaeb784637a3c251765cb3e949184091915ba36e699ba096305cb3d709128091f657c212e9af3fc5758c8c7a7a0f779af29630dcc4691f44aaf3070162f347ce327a7f8fca65ff7075f9b0f33eb6caf2b6620af6598e68e459f150bb9fb6aa8c18662de3b85172207fa98aa4b9d00b54c11d88a8cdda54912d5bb82ef0a5b5ff73b53e804a84df4cd59b50d193ef1e9a95eed39a9e97aa9d9f6b959e53d496dedcd516dfdcea17c692d32f215a776f425a49978492de10d41b9f96959dac2b983e684bbbe6318d88271c6d95241fe1aaa3c006f663c33e390b4f5e7aab71868062c4e1fc68b7c58d40b8f172b4cf005a1b2f56ba9db6a8033ae6ceecbb7bf18e4b057eecf598f0d4805dde14abee596514906256d75dddd468ef41a5cca0fa8e897adbc951231cae953a9c8fea251e63ea26c11d776b72863f9c75170c12c7a16d8fa41a5c29578092ae96e423331e0654a391a993df616abc0108c7d84297b92d4b5bbe560a538796cddca72a4dfec40b5266276dd258989515a02c3478318f7885895f5bea962012e4d0c3ab39010c43f9167713c21ea6eb7239ffb0353ebc8b341972ac71c474de7deb48e1812cbb270efd2508b05946685d45a84ce49922d721ddac94a7ee0d842440b1117ba04eec9bb9d18fd0c5e440df7b15f61cfca94b849edc6a2a810707a3e8c42ddb5ad9d8021d4c094184c54c9d192748d73c0cf6b96b49d64670f2ec3199e55494c6157855baaf36d7c200a1fa03cf59251420d1b36379967012f5ee3c9bc9e9ff470a727301527b17f612cc1f9b2ae9f85f712afc87b5924f16da2d6958fcd3b5ee03642e8da5678c9218d6ecdd99d7d712ad5998acd2852643c286f9334bfebeca4a5f41aaf8210accb9fa370f4d7a04b7114d24642dfd38c837befdca08a1a1b347c1720c8925dbff2e4ae5fff34a4e21bbfb0e4ee5e5936ce919a090a4d2cca0797c08f5c23fa98aff5e7515405fe1eaec86a44cdc0797726d31c4cf0d9af8e8ca44071362e671527899b117b0ed30e40b00861542a0114ea06589b003b5d17394ce205b392e74a5bdbf770a8207164d9da4176e929b282e7cfb37b132c74062b929b39c71d6b4dcfceb0ac10700d2776072fd398b701ec76bd226a80dda78aff5a5f0b0427aa1f11f30d5f1ec0b244103a4cebc1a0b68fe7df4484f619a78178bd2d9d6d31dee28daa72f7d5a0891a190d754dd91e8ef1eda6aee6725525c6155782c771b421687ddfd170b5df9683421817343c66e8cdb44eedd64574fd2da6e1105d8bc28ca58d955931ce929b86088e3e6967d6274190f533a2670038369a1d84ba8c6051c2cd4bb11b194c76c1225dfbc15b5633f86f562b0990c2864bf510a6447bd02cbc0f94db498c26850431faeaac49fd115d3dfd6eaec46277362c67f1d4ad459e25409af64ba933696c21ca7d4ed91a7dfa295a89cbdd68b1ca62b82be704a87670de2b8c1f2a7fea2cbb8397008f5c1032faeba1a0e687a3d7734420d47d852129999ab6b797ef0b57abfc9755ff0ea7a863703c2367072f1ffbbb57100046fb31a8e2fda3a28f01b77d6822c6885bf6ff51a035026d5edef077a5d4f68da6116ac9dc4170092e0d0c5e80fc11ae3d7366d73f8beb2b546430dae84c4bd130bd6f9dcb429c07854712f78ba49f0bcfb88c9601cf9294be31e4e95e5ac5024d7d052a92f279a02a867fcf209c9209fc8aa3bc68e721b475632234e26fb23c9e9b864b68d8d678782a2f046f0c3c91e23ab717940740b8f619a34563fad0ac739f234b6f1c2034f9e3a14c8509b6b113e6b351e7cebb5a1bcf74ab2818820ded76bad6618f313015984ec42da29918097e2dd90686a1de1a867c20288af9de5ab80a6906293d16914c4af7d3ac8b79fcd55b82c74b931b7b0fd80741d0f28e5b96cb787025d3768b2f94e0865e5b00ffc9a34103391f6e77c8dcb6779c2f42eb0fa74cfcf65654ccce544e0fd6a8b6706321d406b03c60e9c3b6a0effda75110058b56bc35eee95dad3e9ee07846dc0a4a9be5b4a2ec7bb4db11838afcfc5a5acff588a17a6928da64703921e275482a10fb77a0209ff1cf5294c20a7193228f7ffcd35584f6b7ae637327df0f4398c70198554bc2d08fb394e709b8d1684a31026e06d9358e92967043223f7f64d3ce47462b1efbfa50a7339c67302be89b43f728ab7c03d80f742c21f08aa5ad869d304a90fdf7aaab7a6b2930051e0d0db291184204cb15bb8aef2850643e286f9334bfe9eca6a594190b81d8ed43bac36258320b164f7f132cb39bef7b4328f416584f050436b2ea685c29307e9323cce0905a0a09640e2116fa81aa7afed853b00c9e7fcfd74484f633ade372a32def6eb0361ae9044644da1c4ff130aee19c4902fac3a2589cc9fd82a6bc19eff2b4a86bfd275a74c6de718d25096d993ebd99e57945293e16924e4bf530ae647bd324bf0fe4f0bdae6a9dc471512606043df2e955b632ede1b54162113e0e6746cfdfb777132f8bf8cf578803188b0fac24fdf1ad5d010a9293fff750a0c4127b45d7094b99ccf6a258720cd81db8caee6c4028cce9905938ca65a9c2f565aad173bdd8e6804dd50682d2718dd2b5406af3d45089c212a04fecc8b07e182974ea21ba8ae5ec495a1ef43e52e9044d0c1988b933ee14b33660e0dbb448ef104f4d0729f89157f5f8a2ae63ff30af1c1047b0fcec56420ff49b5a000545161189c11a9245fccaa25e6bc130be65ed21569205c5b1796226c115b1caed4e421335c0657b352b997f7a2023e01ca80d97e2f7545f08cf8864f7c7a8bf7013da8b43a708f77e5f283fe8e8b84f9428fcf9a45902c9b99a9eb5fdeeaea6621136ca665bd503757cd528469325c78a931a0047042b7f932cbff9ef5ea7ca68b5259e7500dd998ec54a613dc61571812d5a75fadea0458efede5474cd2596e10255dbc28b7dafdaf4bc55e6feb7ae6319c7b970edddb2b912614d323214980fc48b401037766c203de0eab05d9c3ab4e869b9c695698ddd62b12e111c4e810241daf94259f9c1516109391e157f752f2e9080003a3f6514218af912590df16ea23784e8dc567e092781f89ea5bde5615e350d15fa82ac039727331febcb48b4e39e5302fbdba8808fa7c4e755b7cd6b7d3cd51c758a2d79e1295e7630dae98da2ee95aff510a68019fef953a204ff37a89312000515054ed1fc76a720789327f474aa2e19f3055f1e00b2ba69e5c2b15a6ac23ba86c8fc39c9f0bbfcb6358c7ca789bd5b4baec62462a3c1c9a7c302f67902343f338a067edc3515406c1359e9286405bf3075034c2ea705dd30280d3ddbb42e425b1756a25d8ea805dcdc2ba8e63bdc362b837e51752c0c7a7b0ff61acd178712dd2154182d139816e8d2be598becc1bb3f310a34f9410fecbae536a3bdc1cb80c1aea4e4d021aa0899fcef4925e41c6f95faa049de3c6af47f71cacc0785d25310deaf2b25fe53341eb1eb03796988440003bd06f7038d0ea41bbe2e74058f2cc51b3f160a1399e16f707affb18acf38fa358e70fa81779c0228c0da67d1926b199ed414909fd4	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeSecurityPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeBackupPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeRestorePrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeShutdownPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeDebugPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeUndockPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: 33	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: 34	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: 35	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
Token: 36	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe

description	pid	process	target process
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 5092	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	notepad.exe
PID 1444 wrote to memory of 1268	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	explorer.exe
PID 1444 wrote to memory of 1268	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	explorer.exe
PID 1444 wrote to memory of 1268	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	explorer.exe
PID 1444 wrote to memory of 1268	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	explorer.exe
PID 1444 wrote to memory of 1268	1444	f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4aa4319e9665a8e361b1698ed0bd7d5_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
- Adds Run key to start application
PID:5092

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:1268

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\PCGWIN32.LI5
Filesize
2KB

MD5
d8b37842c7ea650e35ab34a6f0581e6d

SHA1
84324031bb44aa56d19b78892b38371fe830d11e

SHA256
0d15d81daa2b1295954e00eb51388d119f2248238e940b24973508bfb083435d

SHA512
793d21a65685ca1a92ddc6f79ac48a74e9651a9579892405913b9a628d0425bb6ec4c4857587f93c8f1080481db9480fab7b71eb4d0ef571839d9d4022976cb5

Download Submit
C:\Windupdt\winupdate.exe
Filesize
848KB

MD5
f4aa4319e9665a8e361b1698ed0bd7d5

SHA1
9f0ba090549177dca85ec622459464b37c5505e1

SHA256
5663bb62c67c6453f5dc4f0e395faa9219f6397efcf86c0f49d48114825c3488

SHA512
be6421f468b4ecdf8cf3afcb123daf7c80186b058e3526ba34995afab1b9af9fbbc4fef52684e0efc1d88e67fbe7348d9e9f89d28c55d485f0fe5dce37aaa3f6

Download Submit
memory/1268-19-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/1268-22-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/1268-20-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/1268-23-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/1268-24-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/1444-0-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/1444-12-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/1444-21-0x0000000013140000-0x0000000013226000-memory.dmp

Filesize
920KB

Download
memory/5092-14-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads