darkcomet | 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f

Processes:

4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Windows.exe"	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe

Modifies firewall policy service 2 TTPs 6 IoCs

Modify Registry

Windows Service

Processes:

iexplore.exeWindows.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	Windows.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	Windows.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	Windows.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	iexplore.exe

Modifies security service 2 TTPs 2 IoCs

Modify Registry

Windows Service

Processes:

Windows.exeiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Windows.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	iexplore.exe

Disables RegEdit via registry modification 2 IoCs

Processes:

iexplore.exeWindows.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Windows.exe

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2544 attrib.exe
2672 attrib.exe
Executes dropped EXE 1 IoCs

Processes:

Windows.exe

pid process

2804 Windows.exe
Loads dropped DLL 2 IoCs

Processes:

4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe

pid process

2892 4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
2892 4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe

pid	process
2544	attrib.exe
2672	attrib.exe

pid	process
2804	Windows.exe

pid	process
2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2892-0-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
\Users\Admin\AppData\Roaming\MSDCSC\Windows.exe	upx
behavioral1/memory/2804-13-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2804-17-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2312-15-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2892-18-0x0000000000400000-0x00000000004E8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

iexplore.exe4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exeWindows.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Windows.exe"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Windows.exe"	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Windows.exe"	Windows.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Windows.exe

description pid process target process

PID 2804 set thread context of 2312 2804 Windows.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2804 set thread context of 2312	2804	Windows.exe	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exeWindows.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeSecurityPrivilege	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeBackupPrivilege	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeRestorePrivilege	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeShutdownPrivilege	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeDebugPrivilege	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeUndockPrivilege	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: 33	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: 34	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: 35	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2804	Windows.exe
Token: SeSecurityPrivilege	2804	Windows.exe
Token: SeTakeOwnershipPrivilege	2804	Windows.exe
Token: SeLoadDriverPrivilege	2804	Windows.exe
Token: SeSystemProfilePrivilege	2804	Windows.exe
Token: SeSystemtimePrivilege	2804	Windows.exe
Token: SeProfSingleProcessPrivilege	2804	Windows.exe
Token: SeIncBasePriorityPrivilege	2804	Windows.exe
Token: SeCreatePagefilePrivilege	2804	Windows.exe
Token: SeBackupPrivilege	2804	Windows.exe
Token: SeRestorePrivilege	2804	Windows.exe
Token: SeShutdownPrivilege	2804	Windows.exe
Token: SeDebugPrivilege	2804	Windows.exe
Token: SeSystemEnvironmentPrivilege	2804	Windows.exe
Token: SeChangeNotifyPrivilege	2804	Windows.exe
Token: SeRemoteShutdownPrivilege	2804	Windows.exe
Token: SeUndockPrivilege	2804	Windows.exe
Token: SeManageVolumePrivilege	2804	Windows.exe
Token: SeImpersonatePrivilege	2804	Windows.exe
Token: SeCreateGlobalPrivilege	2804	Windows.exe
Token: 33	2804	Windows.exe
Token: 34	2804	Windows.exe
Token: 35	2804	Windows.exe
Token: SeIncreaseQuotaPrivilege	2312	iexplore.exe
Token: SeSecurityPrivilege	2312	iexplore.exe
Token: SeTakeOwnershipPrivilege	2312	iexplore.exe
Token: SeLoadDriverPrivilege	2312	iexplore.exe
Token: SeSystemProfilePrivilege	2312	iexplore.exe
Token: SeSystemtimePrivilege	2312	iexplore.exe
Token: SeProfSingleProcessPrivilege	2312	iexplore.exe
Token: SeIncBasePriorityPrivilege	2312	iexplore.exe
Token: SeCreatePagefilePrivilege	2312	iexplore.exe
Token: SeBackupPrivilege	2312	iexplore.exe
Token: SeRestorePrivilege	2312	iexplore.exe
Token: SeShutdownPrivilege	2312	iexplore.exe
Token: SeDebugPrivilege	2312	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2312	iexplore.exe
Token: SeChangeNotifyPrivilege	2312	iexplore.exe
Token: SeRemoteShutdownPrivilege	2312	iexplore.exe
Token: SeUndockPrivilege	2312	iexplore.exe
Token: SeManageVolumePrivilege	2312	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

2312 iexplore.exe

pid	process
2312	iexplore.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.execmd.execmd.exeWindows.exe

description	pid	process	target process
PID 2892 wrote to memory of 3016	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe	cmd.exe
PID 2892 wrote to memory of 3016	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe	cmd.exe
PID 2892 wrote to memory of 3016	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe	cmd.exe
PID 2892 wrote to memory of 3016	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe	cmd.exe
PID 2892 wrote to memory of 2532	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe	cmd.exe
PID 2892 wrote to memory of 2532	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe	cmd.exe
PID 2892 wrote to memory of 2532	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe	cmd.exe
PID 2892 wrote to memory of 2532	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe	cmd.exe
PID 3016 wrote to memory of 2544	3016	cmd.exe	attrib.exe
PID 3016 wrote to memory of 2544	3016	cmd.exe	attrib.exe
PID 3016 wrote to memory of 2544	3016	cmd.exe	attrib.exe
PID 3016 wrote to memory of 2544	3016	cmd.exe	attrib.exe
PID 2532 wrote to memory of 2672	2532	cmd.exe	attrib.exe
PID 2532 wrote to memory of 2672	2532	cmd.exe	attrib.exe
PID 2532 wrote to memory of 2672	2532	cmd.exe	attrib.exe
PID 2532 wrote to memory of 2672	2532	cmd.exe	attrib.exe
PID 2892 wrote to memory of 2804	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe	Windows.exe
PID 2892 wrote to memory of 2804	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe	Windows.exe
PID 2892 wrote to memory of 2804	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe	Windows.exe
PID 2892 wrote to memory of 2804	2892	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe	Windows.exe
PID 2804 wrote to memory of 2312	2804	Windows.exe	iexplore.exe
PID 2804 wrote to memory of 2312	2804	Windows.exe	iexplore.exe
PID 2804 wrote to memory of 2312	2804	Windows.exe	iexplore.exe
PID 2804 wrote to memory of 2312	2804	Windows.exe	iexplore.exe
PID 2804 wrote to memory of 2312	2804	Windows.exe	iexplore.exe
PID 2804 wrote to memory of 2312	2804	Windows.exe	iexplore.exe

System policy modification 1 TTPs 3 IoCs

Modify Registry

Processes:

Windows.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	Windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	Windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	Windows.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2544 attrib.exe
2672 attrib.exe

pid	process
2544	attrib.exe
2672	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2672

C:\Users\Admin\AppData\Roaming\MSDCSC\Windows.exe
"C:\Users\Admin\AppData\Roaming\MSDCSC\Windows.exe"
2⤵
- Modifies firewall policy service
- Modifies security service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2804

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Modifies firewall policy service
- Modifies security service
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2312

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Modify Registry

5

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery