darkcomet | 3ec0a079d0652f425432709ad41d60476a26558047714ab87975567270d6d83f

System Information Discovery

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe

Executes dropped EXE 2 IoCs

Processes:

winupdate.exewinupdate.exe

pid process

2476 winupdate.exe
2728 winupdate.exe

pid	process
2476	winupdate.exe
2728	winupdate.exe

Loads dropped DLL 8 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exewinupdate.exe

pid	process
3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
2476	winupdate.exe
2476	winupdate.exe
2476	winupdate.exe
2476	winupdate.exe
2728	winupdate.exe
2728	winupdate.exe
2728	winupdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\microsoft\\winupdate.exe"	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exef910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	pid	process	target process
PID 2028 set thread context of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 3044 set thread context of 2608	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	explorer.exe
PID 2476 set thread context of 2728	2476	winupdate.exe	winupdate.exe

Drops file in Windows directory 4 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	ioc	process
File created	C:\Windows\microsoft\winupdate.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
File opened for modification	C:\Windows\microsoft\winupdate.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
File opened for modification	C:\Windows\microsoft\	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
File opened for modification	C:\Windows\microsoft\winupdate.exe	winupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

winupdate.exef910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeSecurityPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeRestorePrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeShutdownPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeDebugPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeUndockPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: 33	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: 34	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: 35	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2728	winupdate.exe
Token: SeSecurityPrivilege	2728	winupdate.exe
Token: SeTakeOwnershipPrivilege	2728	winupdate.exe
Token: SeLoadDriverPrivilege	2728	winupdate.exe
Token: SeSystemProfilePrivilege	2728	winupdate.exe
Token: SeSystemtimePrivilege	2728	winupdate.exe
Token: SeProfSingleProcessPrivilege	2728	winupdate.exe
Token: SeIncBasePriorityPrivilege	2728	winupdate.exe
Token: SeCreatePagefilePrivilege	2728	winupdate.exe
Token: SeBackupPrivilege	2728	winupdate.exe
Token: SeRestorePrivilege	2728	winupdate.exe
Token: SeShutdownPrivilege	2728	winupdate.exe
Token: SeDebugPrivilege	2728	winupdate.exe
Token: SeSystemEnvironmentPrivilege	2728	winupdate.exe
Token: SeChangeNotifyPrivilege	2728	winupdate.exe
Token: SeRemoteShutdownPrivilege	2728	winupdate.exe
Token: SeUndockPrivilege	2728	winupdate.exe
Token: SeManageVolumePrivilege	2728	winupdate.exe
Token: SeImpersonatePrivilege	2728	winupdate.exe
Token: SeCreateGlobalPrivilege	2728	winupdate.exe
Token: 33	2728	winupdate.exe
Token: 34	2728	winupdate.exe
Token: 35	2728	winupdate.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exeexplorer.exewinupdate.exewinupdate.exe

pid process

2028 f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
2608 explorer.exe
2476 winupdate.exe
2728 winupdate.exe

pid	process
2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
2608	explorer.exe
2476	winupdate.exe
2728	winupdate.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exef910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	pid	process	target process
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 2028 wrote to memory of 3044	2028	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 3044 wrote to memory of 2608	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	explorer.exe
PID 3044 wrote to memory of 2608	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	explorer.exe
PID 3044 wrote to memory of 2608	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	explorer.exe
PID 3044 wrote to memory of 2608	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	explorer.exe
PID 3044 wrote to memory of 2608	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	explorer.exe
PID 3044 wrote to memory of 2608	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	explorer.exe
PID 3044 wrote to memory of 2476	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	winupdate.exe
PID 3044 wrote to memory of 2476	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	winupdate.exe
PID 3044 wrote to memory of 2476	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	winupdate.exe
PID 3044 wrote to memory of 2476	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	winupdate.exe
PID 3044 wrote to memory of 2476	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	winupdate.exe
PID 3044 wrote to memory of 2476	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	winupdate.exe
PID 3044 wrote to memory of 2476	3044	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	winupdate.exe
PID 2476 wrote to memory of 2728	2476	winupdate.exe	winupdate.exe
PID 2476 wrote to memory of 2728	2476	winupdate.exe	winupdate.exe
PID 2476 wrote to memory of 2728	2476	winupdate.exe	winupdate.exe
PID 2476 wrote to memory of 2728	2476	winupdate.exe	winupdate.exe
PID 2476 wrote to memory of 2728	2476	winupdate.exe	winupdate.exe
PID 2476 wrote to memory of 2728	2476	winupdate.exe	winupdate.exe
PID 2476 wrote to memory of 2728	2476	winupdate.exe	winupdate.exe
PID 2476 wrote to memory of 2728	2476	winupdate.exe	winupdate.exe
PID 2476 wrote to memory of 2728	2476	winupdate.exe	winupdate.exe
PID 2476 wrote to memory of 2728	2476	winupdate.exe	winupdate.exe
PID 2476 wrote to memory of 2728	2476	winupdate.exe	winupdate.exe
PID 2476 wrote to memory of 2728	2476	winupdate.exe	winupdate.exe
PID 2476 wrote to memory of 2728	2476	winupdate.exe	winupdate.exe
PID 2476 wrote to memory of 2728	2476	winupdate.exe	winupdate.exe
PID 2476 wrote to memory of 2728	2476	winupdate.exe	winupdate.exe
PID 2476 wrote to memory of 2728	2476	winupdate.exe	winupdate.exe

C:\Users\Admin\AppData\Local\Temp\f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2608

C:\Windows\microsoft\winupdate.exe
"C:\Windows\microsoft\winupdate.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\microsoft\winupdate.exe
C:\Windows\microsoft\winupdate.exe
4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

3

System Information Discovery

4