darkcomet | 90609bc1ea530df6692c767ed364797cc03c1348fabc0b5ea244f8764c41b6f3

Processes:

10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	svchost.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe

Executes dropped EXE 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

2904 svchost.exe
2572 svchost.exe
884 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe

pid process

2888 10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
2888 10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe

pid	process
2904	svchost.exe
2572	svchost.exe
884	svchost.exe

pid	process
2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exesvchost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exesvchost.exesvchost.exe

description	pid	process	target process
PID 2232 set thread context of 1520	2232	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 1520 set thread context of 2888	1520	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 2904 set thread context of 2572	2904	svchost.exe	svchost.exe
PID 2572 set thread context of 884	2572	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

svchost.exe10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exesvchost.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: SeSecurityPrivilege	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: SeBackupPrivilege	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: SeRestorePrivilege	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: SeShutdownPrivilege	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: SeDebugPrivilege	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: SeUndockPrivilege	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: 33	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: 34	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: 35	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	884	svchost.exe
Token: SeSecurityPrivilege	884	svchost.exe
Token: SeTakeOwnershipPrivilege	884	svchost.exe
Token: SeLoadDriverPrivilege	884	svchost.exe
Token: SeSystemProfilePrivilege	884	svchost.exe
Token: SeSystemtimePrivilege	884	svchost.exe
Token: SeProfSingleProcessPrivilege	884	svchost.exe
Token: SeIncBasePriorityPrivilege	884	svchost.exe
Token: SeCreatePagefilePrivilege	884	svchost.exe
Token: SeBackupPrivilege	884	svchost.exe
Token: SeRestorePrivilege	884	svchost.exe
Token: SeShutdownPrivilege	884	svchost.exe
Token: SeDebugPrivilege	884	svchost.exe
Token: SeSystemEnvironmentPrivilege	884	svchost.exe
Token: SeChangeNotifyPrivilege	884	svchost.exe
Token: SeRemoteShutdownPrivilege	884	svchost.exe
Token: SeUndockPrivilege	884	svchost.exe
Token: SeManageVolumePrivilege	884	svchost.exe
Token: SeImpersonatePrivilege	884	svchost.exe
Token: SeCreateGlobalPrivilege	884	svchost.exe
Token: 33	884	svchost.exe
Token: 34	884	svchost.exe
Token: 35	884	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exesvchost.exesvchost.exe

pid process

2232 10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
1520 10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
2904 svchost.exe
2572 svchost.exe

pid	process
2232	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
1520	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
2904	svchost.exe
2572	svchost.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exesvchost.exesvchost.exe

description	pid	process	target process
PID 2232 wrote to memory of 1520	2232	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 2232 wrote to memory of 1520	2232	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 2232 wrote to memory of 1520	2232	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 2232 wrote to memory of 1520	2232	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 2232 wrote to memory of 1520	2232	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 2232 wrote to memory of 1520	2232	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 2232 wrote to memory of 1520	2232	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 2232 wrote to memory of 1520	2232	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 2232 wrote to memory of 1520	2232	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 1520 wrote to memory of 2888	1520	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 1520 wrote to memory of 2888	1520	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 1520 wrote to memory of 2888	1520	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 1520 wrote to memory of 2888	1520	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 1520 wrote to memory of 2888	1520	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 1520 wrote to memory of 2888	1520	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 1520 wrote to memory of 2888	1520	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 1520 wrote to memory of 2888	1520	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 1520 wrote to memory of 2888	1520	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 1520 wrote to memory of 2888	1520	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 1520 wrote to memory of 2888	1520	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 1520 wrote to memory of 2888	1520	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 1520 wrote to memory of 2888	1520	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
PID 2888 wrote to memory of 2752	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	explorer.exe
PID 2888 wrote to memory of 2752	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	explorer.exe
PID 2888 wrote to memory of 2752	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	explorer.exe
PID 2888 wrote to memory of 2752	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	explorer.exe
PID 2888 wrote to memory of 2904	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	svchost.exe
PID 2888 wrote to memory of 2904	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	svchost.exe
PID 2888 wrote to memory of 2904	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	svchost.exe
PID 2888 wrote to memory of 2904	2888	10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe	svchost.exe
PID 2904 wrote to memory of 2572	2904	svchost.exe	svchost.exe
PID 2904 wrote to memory of 2572	2904	svchost.exe	svchost.exe
PID 2904 wrote to memory of 2572	2904	svchost.exe	svchost.exe
PID 2904 wrote to memory of 2572	2904	svchost.exe	svchost.exe
PID 2904 wrote to memory of 2572	2904	svchost.exe	svchost.exe
PID 2904 wrote to memory of 2572	2904	svchost.exe	svchost.exe
PID 2904 wrote to memory of 2572	2904	svchost.exe	svchost.exe
PID 2904 wrote to memory of 2572	2904	svchost.exe	svchost.exe
PID 2904 wrote to memory of 2572	2904	svchost.exe	svchost.exe
PID 2572 wrote to memory of 884	2572	svchost.exe	svchost.exe
PID 2572 wrote to memory of 884	2572	svchost.exe	svchost.exe
PID 2572 wrote to memory of 884	2572	svchost.exe	svchost.exe
PID 2572 wrote to memory of 884	2572	svchost.exe	svchost.exe
PID 2572 wrote to memory of 884	2572	svchost.exe	svchost.exe
PID 2572 wrote to memory of 884	2572	svchost.exe	svchost.exe
PID 2572 wrote to memory of 884	2572	svchost.exe	svchost.exe
PID 2572 wrote to memory of 884	2572	svchost.exe	svchost.exe
PID 2572 wrote to memory of 884	2572	svchost.exe	svchost.exe
PID 2572 wrote to memory of 884	2572	svchost.exe	svchost.exe
PID 2572 wrote to memory of 884	2572	svchost.exe	svchost.exe
PID 2572 wrote to memory of 884	2572	svchost.exe	svchost.exe
PID 2572 wrote to memory of 884	2572	svchost.exe	svchost.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	svchost.exe

C:\Users\Admin\AppData\Local\Temp\10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Local\Temp\10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe"
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10e976814722aec669c98ca54c27d9d6_JaffaCakes118.exe"
3⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
4⤵
PID:2752

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
6⤵
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:884

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

6

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

3

System Information Discovery

4