darkcomet | 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f

Processes:

4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Windows.exe"	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

Windows Service

T1543.003

Processes:

Windows.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	Windows.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	Windows.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	Windows.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

Windows.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Windows.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	Windows.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

Windows.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Windows.exe

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

3508 attrib.exe
2504 attrib.exe

pid	process
3508	attrib.exe
2504	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

Windows.exe

pid process

2136 Windows.exe

pid	process
2136	Windows.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4580-0-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\MSDCSC\Windows.exe	upx
behavioral2/memory/4580-62-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/2136-63-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/2136-64-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/2136-65-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/2136-66-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/2136-67-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/2136-68-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/2136-69-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/2136-70-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/2136-71-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/2136-72-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/2136-73-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/2136-74-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/2136-75-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/2136-76-0x0000000000400000-0x00000000004E8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exeWindows.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Windows.exe"	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Windows.exe"	Windows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exeWindows.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeSecurityPrivilege	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeBackupPrivilege	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeRestorePrivilege	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeShutdownPrivilege	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeDebugPrivilege	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeUndockPrivilege	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeManageVolumePrivilege	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeImpersonatePrivilege	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: 33	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: 34	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: 35	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: 36	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2136	Windows.exe
Token: SeSecurityPrivilege	2136	Windows.exe
Token: SeTakeOwnershipPrivilege	2136	Windows.exe
Token: SeLoadDriverPrivilege	2136	Windows.exe
Token: SeSystemProfilePrivilege	2136	Windows.exe
Token: SeSystemtimePrivilege	2136	Windows.exe
Token: SeProfSingleProcessPrivilege	2136	Windows.exe
Token: SeIncBasePriorityPrivilege	2136	Windows.exe
Token: SeCreatePagefilePrivilege	2136	Windows.exe
Token: SeBackupPrivilege	2136	Windows.exe
Token: SeRestorePrivilege	2136	Windows.exe
Token: SeShutdownPrivilege	2136	Windows.exe
Token: SeDebugPrivilege	2136	Windows.exe
Token: SeSystemEnvironmentPrivilege	2136	Windows.exe
Token: SeChangeNotifyPrivilege	2136	Windows.exe
Token: SeRemoteShutdownPrivilege	2136	Windows.exe
Token: SeUndockPrivilege	2136	Windows.exe
Token: SeManageVolumePrivilege	2136	Windows.exe
Token: SeImpersonatePrivilege	2136	Windows.exe
Token: SeCreateGlobalPrivilege	2136	Windows.exe
Token: 33	2136	Windows.exe
Token: 34	2136	Windows.exe
Token: 35	2136	Windows.exe
Token: 36	2136	Windows.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows.exe

pid process

2136 Windows.exe

pid	process
2136	Windows.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.execmd.execmd.exeWindows.exe

description	pid	process	target process
PID 4580 wrote to memory of 2384	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe	cmd.exe
PID 4580 wrote to memory of 2384	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe	cmd.exe
PID 4580 wrote to memory of 2384	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe	cmd.exe
PID 4580 wrote to memory of 2144	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe	cmd.exe
PID 4580 wrote to memory of 2144	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe	cmd.exe
PID 4580 wrote to memory of 2144	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe	cmd.exe
PID 2384 wrote to memory of 2504	2384	cmd.exe	attrib.exe
PID 2384 wrote to memory of 2504	2384	cmd.exe	attrib.exe
PID 2384 wrote to memory of 2504	2384	cmd.exe	attrib.exe
PID 2144 wrote to memory of 3508	2144	cmd.exe	attrib.exe
PID 2144 wrote to memory of 3508	2144	cmd.exe	attrib.exe
PID 2144 wrote to memory of 3508	2144	cmd.exe	attrib.exe
PID 4580 wrote to memory of 2136	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe	Windows.exe
PID 4580 wrote to memory of 2136	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe	Windows.exe
PID 4580 wrote to memory of 2136	4580	4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe	Windows.exe
PID 2136 wrote to memory of 2180	2136	Windows.exe	iexplore.exe
PID 2136 wrote to memory of 2180	2136	Windows.exe	iexplore.exe
PID 2136 wrote to memory of 2180	2136	Windows.exe	iexplore.exe
PID 2136 wrote to memory of 1960	2136	Windows.exe	explorer.exe
PID 2136 wrote to memory of 1960	2136	Windows.exe	explorer.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

Processes:

Windows.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	Windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	Windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	Windows.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2504 attrib.exe
3508 attrib.exe

pid	process
2504	attrib.exe
3508	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\4ba3b7693391fa5d8326b686692a9f91_JaffaCakes118.exe" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3508

C:\Users\Admin\AppData\Roaming\MSDCSC\Windows.exe
"C:\Users\Admin\AppData\Roaming\MSDCSC\Windows.exe"
2⤵
- Modifies firewall policy service
- Modifies security service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2136

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
PID:2180

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

5

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery