darkcomet | 41a682da16b22581581ef2353fe9e900be9162609dc89c956addd256b4f9d546

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Java.exe"	TROJAN.EXE

Modifies firewall policy service 3 TTPs 3 IoCs

Modify Registry

Windows Service

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	Java.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	Java.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	Java.exe

Modifies security service 2 TTPs 1 IoCs

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Java.exe

Windows security bypass 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Java.exe

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Java.exe

Disables Task Manager via registry modification
defense_evasion

Executes dropped EXE 3 IoCs

pid	Process
3064	IDOSER V4.EXE
640	TROJAN.EXE
2296	Java.exe

Loads dropped DLL 5 IoCs

pid	Process
3036	JaffaCakes118_11fb758dd3cdc09650445e5527b88e66.exe
3036	JaffaCakes118_11fb758dd3cdc09650445e5527b88e66.exe
3036	JaffaCakes118_11fb758dd3cdc09650445e5527b88e66.exe
640	TROJAN.EXE
640	TROJAN.EXE

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Java.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe"	Java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe"	TROJAN.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_11fb758dd3cdc09650445e5527b88e66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TROJAN.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	640	TROJAN.EXE
Token: SeSecurityPrivilege	640	TROJAN.EXE
Token: SeTakeOwnershipPrivilege	640	TROJAN.EXE
Token: SeLoadDriverPrivilege	640	TROJAN.EXE
Token: SeSystemProfilePrivilege	640	TROJAN.EXE
Token: SeSystemtimePrivilege	640	TROJAN.EXE
Token: SeProfSingleProcessPrivilege	640	TROJAN.EXE
Token: SeIncBasePriorityPrivilege	640	TROJAN.EXE
Token: SeCreatePagefilePrivilege	640	TROJAN.EXE
Token: SeBackupPrivilege	640	TROJAN.EXE
Token: SeRestorePrivilege	640	TROJAN.EXE
Token: SeShutdownPrivilege	640	TROJAN.EXE
Token: SeDebugPrivilege	640	TROJAN.EXE
Token: SeSystemEnvironmentPrivilege	640	TROJAN.EXE
Token: SeChangeNotifyPrivilege	640	TROJAN.EXE
Token: SeRemoteShutdownPrivilege	640	TROJAN.EXE
Token: SeUndockPrivilege	640	TROJAN.EXE
Token: SeManageVolumePrivilege	640	TROJAN.EXE
Token: SeImpersonatePrivilege	640	TROJAN.EXE
Token: SeCreateGlobalPrivilege	640	TROJAN.EXE
Token: 33	640	TROJAN.EXE
Token: 34	640	TROJAN.EXE
Token: 35	640	TROJAN.EXE
Token: SeIncreaseQuotaPrivilege	2296	Java.exe
Token: SeSecurityPrivilege	2296	Java.exe
Token: SeTakeOwnershipPrivilege	2296	Java.exe
Token: SeLoadDriverPrivilege	2296	Java.exe
Token: SeSystemProfilePrivilege	2296	Java.exe
Token: SeSystemtimePrivilege	2296	Java.exe
Token: SeProfSingleProcessPrivilege	2296	Java.exe
Token: SeIncBasePriorityPrivilege	2296	Java.exe
Token: SeCreatePagefilePrivilege	2296	Java.exe
Token: SeBackupPrivilege	2296	Java.exe
Token: SeRestorePrivilege	2296	Java.exe
Token: SeShutdownPrivilege	2296	Java.exe
Token: SeDebugPrivilege	2296	Java.exe
Token: SeSystemEnvironmentPrivilege	2296	Java.exe
Token: SeChangeNotifyPrivilege	2296	Java.exe
Token: SeRemoteShutdownPrivilege	2296	Java.exe
Token: SeUndockPrivilege	2296	Java.exe
Token: SeManageVolumePrivilege	2296	Java.exe
Token: SeImpersonatePrivilege	2296	Java.exe
Token: SeCreateGlobalPrivilege	2296	Java.exe
Token: 33	2296	Java.exe
Token: 34	2296	Java.exe
Token: 35	2296	Java.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2296	Java.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 3064	3036	JaffaCakes118_11fb758dd3cdc09650445e5527b88e66.exe	30
PID 3036 wrote to memory of 3064	3036	JaffaCakes118_11fb758dd3cdc09650445e5527b88e66.exe	30
PID 3036 wrote to memory of 3064	3036	JaffaCakes118_11fb758dd3cdc09650445e5527b88e66.exe	30
PID 3036 wrote to memory of 3064	3036	JaffaCakes118_11fb758dd3cdc09650445e5527b88e66.exe	30
PID 3036 wrote to memory of 640	3036	JaffaCakes118_11fb758dd3cdc09650445e5527b88e66.exe	31
PID 3036 wrote to memory of 640	3036	JaffaCakes118_11fb758dd3cdc09650445e5527b88e66.exe	31
PID 3036 wrote to memory of 640	3036	JaffaCakes118_11fb758dd3cdc09650445e5527b88e66.exe	31
PID 3036 wrote to memory of 640	3036	JaffaCakes118_11fb758dd3cdc09650445e5527b88e66.exe	31
PID 640 wrote to memory of 2296	640	TROJAN.EXE	33
PID 640 wrote to memory of 2296	640	TROJAN.EXE	33
PID 640 wrote to memory of 2296	640	TROJAN.EXE	33
PID 640 wrote to memory of 2296	640	TROJAN.EXE	33
PID 640 wrote to memory of 2296	640	TROJAN.EXE	33
PID 640 wrote to memory of 2296	640	TROJAN.EXE	33
PID 640 wrote to memory of 2296	640	TROJAN.EXE	33

System policy modification 1 TTPs 3 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	Java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	Java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	Java.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fb758dd3cdc09650445e5527b88e66.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11fb758dd3cdc09650445e5527b88e66.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\IDOSER V4.EXE
  "C:\Users\Admin\AppData\Local\Temp\IDOSER V4.EXE"
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Users\Admin\AppData\Local\Temp\TROJAN.EXE
  "C:\Users\Admin\AppData\Local\Temp\TROJAN.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Users\Admin\AppData\Roaming\Java.exe
    "C:\Users\Admin\AppData\Roaming\Java.exe"
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Windows security bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry