darkcomet | 3ec0a079d0652f425432709ad41d60476a26558047714ab87975567270d6d83f

System Information Discovery

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

winupdate.exewinupdate.exe

pid process

3920 winupdate.exe
2112 winupdate.exe

pid	process
3920	winupdate.exe
2112	winupdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\microsoft\\winupdate.exe"	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	pid	process	target process
PID 3192 set thread context of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 3920 set thread context of 2112	3920	winupdate.exe	winupdate.exe

Drops file in Windows directory 4 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	ioc	process
File created	C:\Windows\microsoft\winupdate.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
File opened for modification	C:\Windows\microsoft\winupdate.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
File opened for modification	C:\Windows\microsoft\	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
File opened for modification	C:\Windows\microsoft\winupdate.exe	winupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe

Modifies registry class 1 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeSecurityPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeBackupPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeRestorePrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeShutdownPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeDebugPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeUndockPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: 33	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: 34	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: 35	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: 36	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2112	winupdate.exe
Token: SeSecurityPrivilege	2112	winupdate.exe
Token: SeTakeOwnershipPrivilege	2112	winupdate.exe
Token: SeLoadDriverPrivilege	2112	winupdate.exe
Token: SeSystemProfilePrivilege	2112	winupdate.exe
Token: SeSystemtimePrivilege	2112	winupdate.exe
Token: SeProfSingleProcessPrivilege	2112	winupdate.exe
Token: SeIncBasePriorityPrivilege	2112	winupdate.exe
Token: SeCreatePagefilePrivilege	2112	winupdate.exe
Token: SeBackupPrivilege	2112	winupdate.exe
Token: SeRestorePrivilege	2112	winupdate.exe
Token: SeShutdownPrivilege	2112	winupdate.exe
Token: SeDebugPrivilege	2112	winupdate.exe
Token: SeSystemEnvironmentPrivilege	2112	winupdate.exe
Token: SeChangeNotifyPrivilege	2112	winupdate.exe
Token: SeRemoteShutdownPrivilege	2112	winupdate.exe
Token: SeUndockPrivilege	2112	winupdate.exe
Token: SeManageVolumePrivilege	2112	winupdate.exe
Token: SeImpersonatePrivilege	2112	winupdate.exe
Token: SeCreateGlobalPrivilege	2112	winupdate.exe
Token: 33	2112	winupdate.exe
Token: 34	2112	winupdate.exe
Token: 35	2112	winupdate.exe
Token: 36	2112	winupdate.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exewinupdate.exe

pid process

3192 f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
3920 winupdate.exe
2112 winupdate.exe

pid	process
3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
3920	winupdate.exe
2112	winupdate.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exef910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exewinupdate.exe

description	pid	process	target process
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 3192 wrote to memory of 3100	3192	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
PID 3100 wrote to memory of 4976	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	explorer.exe
PID 3100 wrote to memory of 4976	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	explorer.exe
PID 3100 wrote to memory of 4976	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	explorer.exe
PID 3100 wrote to memory of 3920	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	winupdate.exe
PID 3100 wrote to memory of 3920	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	winupdate.exe
PID 3100 wrote to memory of 3920	3100	f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe	winupdate.exe
PID 3920 wrote to memory of 2112	3920	winupdate.exe	winupdate.exe
PID 3920 wrote to memory of 2112	3920	winupdate.exe	winupdate.exe
PID 3920 wrote to memory of 2112	3920	winupdate.exe	winupdate.exe
PID 3920 wrote to memory of 2112	3920	winupdate.exe	winupdate.exe
PID 3920 wrote to memory of 2112	3920	winupdate.exe	winupdate.exe
PID 3920 wrote to memory of 2112	3920	winupdate.exe	winupdate.exe
PID 3920 wrote to memory of 2112	3920	winupdate.exe	winupdate.exe
PID 3920 wrote to memory of 2112	3920	winupdate.exe	winupdate.exe
PID 3920 wrote to memory of 2112	3920	winupdate.exe	winupdate.exe
PID 3920 wrote to memory of 2112	3920	winupdate.exe	winupdate.exe
PID 3920 wrote to memory of 2112	3920	winupdate.exe	winupdate.exe
PID 3920 wrote to memory of 2112	3920	winupdate.exe	winupdate.exe
PID 3920 wrote to memory of 2112	3920	winupdate.exe	winupdate.exe
PID 3920 wrote to memory of 2112	3920	winupdate.exe	winupdate.exe

C:\Users\Admin\AppData\Local\Temp\f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3192

C:\Users\Admin\AppData\Local\Temp\f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f910ba6ba0a9de0c1f139c1199e89875_JaffaCakes118.exe
2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
PID:4976

C:\Windows\microsoft\winupdate.exe
"C:\Windows\microsoft\winupdate.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\microsoft\winupdate.exe
C:\Windows\microsoft\winupdate.exe
4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3712 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:3016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

4

System Information Discovery

5