darkcomet | ac127a5d36034ce79ec68c677415a575eba0eff150db40a8dbc814d160df952a

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe"	f6444e469478023a106e271416492875_JaffaCakes118.exe

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

Windows Service

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winupdate.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1"	winupdate.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winupdate.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	winupdate.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winupdate.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	f6444e469478023a106e271416492875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	f6444e469478023a106e271416492875_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1328	winupdate.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winupdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	f6444e469478023a106e271416492875_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6444e469478023a106e271416492875_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f6444e469478023a106e271416492875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f6444e469478023a106e271416492875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	f6444e469478023a106e271416492875_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	f6444e469478023a106e271416492875_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	f6444e469478023a106e271416492875_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1328	winupdate.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: SeSecurityPrivilege	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: SeBackupPrivilege	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: SeRestorePrivilege	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: SeShutdownPrivilege	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: SeDebugPrivilege	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: SeUndockPrivilege	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: SeManageVolumePrivilege	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: SeImpersonatePrivilege	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: 33	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: 34	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: 35	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: 36	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	1328	winupdate.exe
Token: SeSecurityPrivilege	1328	winupdate.exe
Token: SeTakeOwnershipPrivilege	1328	winupdate.exe
Token: SeLoadDriverPrivilege	1328	winupdate.exe
Token: SeSystemProfilePrivilege	1328	winupdate.exe
Token: SeSystemtimePrivilege	1328	winupdate.exe
Token: SeProfSingleProcessPrivilege	1328	winupdate.exe
Token: SeIncBasePriorityPrivilege	1328	winupdate.exe
Token: SeCreatePagefilePrivilege	1328	winupdate.exe
Token: SeBackupPrivilege	1328	winupdate.exe
Token: SeRestorePrivilege	1328	winupdate.exe
Token: SeShutdownPrivilege	1328	winupdate.exe
Token: SeDebugPrivilege	1328	winupdate.exe
Token: SeSystemEnvironmentPrivilege	1328	winupdate.exe
Token: SeChangeNotifyPrivilege	1328	winupdate.exe
Token: SeRemoteShutdownPrivilege	1328	winupdate.exe
Token: SeUndockPrivilege	1328	winupdate.exe
Token: SeManageVolumePrivilege	1328	winupdate.exe
Token: SeImpersonatePrivilege	1328	winupdate.exe
Token: SeCreateGlobalPrivilege	1328	winupdate.exe
Token: 33	1328	winupdate.exe
Token: 34	1328	winupdate.exe
Token: 35	1328	winupdate.exe
Token: 36	1328	winupdate.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 1328	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe	84
PID 4340 wrote to memory of 1328	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe	84
PID 4340 wrote to memory of 1328	4340	f6444e469478023a106e271416492875_JaffaCakes118.exe	84

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	winupdate.exe

C:\Users\Admin\AppData\Local\Temp\f6444e469478023a106e271416492875_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6444e469478023a106e271416492875_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windupdt\winupdate.exe
  "C:\Windupdt\winupdate.exe"
  2⤵
  - Modifies firewall policy service
  - Modifies security service
  - Windows security bypass
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Windows security modification
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery