darkcomet | e0a69909638dbec232e66444075e59502c580252a28bb2f48434cf6eaf6799de

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\system32\\winlogon.exe"	28438517f96da37569cdf64333884f50_JaffaCakes118.exe

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

Windows Service

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	winlogon.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
1544	winlogon.exe
2108	winlogon.exe
2840	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winlogon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\system32\\winlogon.exe"	28438517f96da37569cdf64333884f50_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	winlogon.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2436 set thread context of 2420	2436	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	28
PID 2420 set thread context of 2332	2420	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	29
PID 1544 set thread context of 2108	1544	winlogon.exe	31
PID 2108 set thread context of 2840	2108	winlogon.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winlogon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winlogon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winlogon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winlogon.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	28438517f96da37569cdf64333884f50_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2840	winlogon.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: SeSecurityPrivilege	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: SeBackupPrivilege	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: SeRestorePrivilege	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: SeShutdownPrivilege	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: SeDebugPrivilege	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: SeUndockPrivilege	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: 33	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: 34	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: 35	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2840	winlogon.exe
Token: SeSecurityPrivilege	2840	winlogon.exe
Token: SeTakeOwnershipPrivilege	2840	winlogon.exe
Token: SeLoadDriverPrivilege	2840	winlogon.exe
Token: SeSystemProfilePrivilege	2840	winlogon.exe
Token: SeSystemtimePrivilege	2840	winlogon.exe
Token: SeProfSingleProcessPrivilege	2840	winlogon.exe
Token: SeIncBasePriorityPrivilege	2840	winlogon.exe
Token: SeCreatePagefilePrivilege	2840	winlogon.exe
Token: SeBackupPrivilege	2840	winlogon.exe
Token: SeRestorePrivilege	2840	winlogon.exe
Token: SeShutdownPrivilege	2840	winlogon.exe
Token: SeDebugPrivilege	2840	winlogon.exe
Token: SeSystemEnvironmentPrivilege	2840	winlogon.exe
Token: SeChangeNotifyPrivilege	2840	winlogon.exe
Token: SeRemoteShutdownPrivilege	2840	winlogon.exe
Token: SeUndockPrivilege	2840	winlogon.exe
Token: SeManageVolumePrivilege	2840	winlogon.exe
Token: SeImpersonatePrivilege	2840	winlogon.exe
Token: SeCreateGlobalPrivilege	2840	winlogon.exe
Token: 33	2840	winlogon.exe
Token: 34	2840	winlogon.exe
Token: 35	2840	winlogon.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2436	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
2420	28438517f96da37569cdf64333884f50_JaffaCakes118.exe
1544	winlogon.exe
2108	winlogon.exe
2840	winlogon.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2420	2436	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	28
PID 2436 wrote to memory of 2420	2436	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	28
PID 2436 wrote to memory of 2420	2436	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	28
PID 2436 wrote to memory of 2420	2436	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	28
PID 2436 wrote to memory of 2420	2436	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	28
PID 2436 wrote to memory of 2420	2436	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	28
PID 2436 wrote to memory of 2420	2436	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	28
PID 2436 wrote to memory of 2420	2436	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	28
PID 2436 wrote to memory of 2420	2436	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	28
PID 2420 wrote to memory of 2332	2420	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	29
PID 2420 wrote to memory of 2332	2420	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	29
PID 2420 wrote to memory of 2332	2420	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	29
PID 2420 wrote to memory of 2332	2420	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	29
PID 2420 wrote to memory of 2332	2420	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	29
PID 2420 wrote to memory of 2332	2420	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	29
PID 2420 wrote to memory of 2332	2420	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	29
PID 2420 wrote to memory of 2332	2420	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	29
PID 2420 wrote to memory of 2332	2420	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	29
PID 2420 wrote to memory of 2332	2420	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	29
PID 2420 wrote to memory of 2332	2420	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	29
PID 2420 wrote to memory of 2332	2420	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	29
PID 2420 wrote to memory of 2332	2420	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	29
PID 2332 wrote to memory of 1544	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	30
PID 2332 wrote to memory of 1544	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	30
PID 2332 wrote to memory of 1544	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	30
PID 2332 wrote to memory of 1544	2332	28438517f96da37569cdf64333884f50_JaffaCakes118.exe	30
PID 1544 wrote to memory of 2108	1544	winlogon.exe	31
PID 1544 wrote to memory of 2108	1544	winlogon.exe	31
PID 1544 wrote to memory of 2108	1544	winlogon.exe	31
PID 1544 wrote to memory of 2108	1544	winlogon.exe	31
PID 1544 wrote to memory of 2108	1544	winlogon.exe	31
PID 1544 wrote to memory of 2108	1544	winlogon.exe	31
PID 1544 wrote to memory of 2108	1544	winlogon.exe	31
PID 1544 wrote to memory of 2108	1544	winlogon.exe	31
PID 1544 wrote to memory of 2108	1544	winlogon.exe	31
PID 2108 wrote to memory of 2840	2108	winlogon.exe	32
PID 2108 wrote to memory of 2840	2108	winlogon.exe	32
PID 2108 wrote to memory of 2840	2108	winlogon.exe	32
PID 2108 wrote to memory of 2840	2108	winlogon.exe	32
PID 2108 wrote to memory of 2840	2108	winlogon.exe	32
PID 2108 wrote to memory of 2840	2108	winlogon.exe	32
PID 2108 wrote to memory of 2840	2108	winlogon.exe	32
PID 2108 wrote to memory of 2840	2108	winlogon.exe	32
PID 2108 wrote to memory of 2840	2108	winlogon.exe	32
PID 2108 wrote to memory of 2840	2108	winlogon.exe	32
PID 2108 wrote to memory of 2840	2108	winlogon.exe	32
PID 2108 wrote to memory of 2840	2108	winlogon.exe	32
PID 2108 wrote to memory of 2840	2108	winlogon.exe	32

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\28438517f96da37569cdf64333884f50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28438517f96da37569cdf64333884f50_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\Temp\28438517f96da37569cdf64333884f50_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\28438517f96da37569cdf64333884f50_JaffaCakes118.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\28438517f96da37569cdf64333884f50_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\28438517f96da37569cdf64333884f50_JaffaCakes118.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\system32\winlogon.exe
      "C:\system32\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\system32\winlogon.exe
        
        "C:\system32\winlogon.exe"
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\system32\winlogon.exe
        
        "C:\system32\winlogon.exe"
        6⤵
        Modifies firewall policy service
        Modifies security service
        Windows security bypass
        Checks BIOS information in registry
        Executes dropped EXE
        Windows security modification
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

System Information Discovery