mydoom | 9c0c0043b1adb3329e40d87bc1c095abc4e99b3e07c64a1078b3eef596d1b021

General

Target

b34a1025cdde866e050423a15dcbbb43_JaffaCakes118.exe
Size

28KB
MD5

b34a1025cdde866e050423a15dcbbb43
SHA1

da88d68b0d70437d10bed566c20f30c0572b3e48
SHA256

9c0c0043b1adb3329e40d87bc1c095abc4e99b3e07c64a1078b3eef596d1b021
SHA512

76970f29f4358202a0167c6284e643269ff6e68f9845cb6e7546f4f0564664fbc19d6044a028381450594873a34bd05f01cbc970a3cf05835e5ee2f7285bbfcd
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNCR65:Dv8IRRdsxq1DjJcqfI

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 5 IoCs

resource	yara_rule
behavioral2/memory/5096-13-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/5096-51-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/5096-56-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/5096-162-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/5096-184-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom

Executes dropped EXE 1 IoCs

pid	Process
3948	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5096-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x00080000000234cf-4.dat	upx
behavioral2/memory/3948-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5096-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3948-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3948-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3948-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3948-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3948-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3948-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3948-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3948-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3948-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3948-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5096-51-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3948-52-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5096-56-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3948-57-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000c000000023409-67.dat	upx
behavioral2/memory/5096-162-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3948-163-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5096-184-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3948-185-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3948-189-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	b34a1025cdde866e050423a15dcbbb43_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	b34a1025cdde866e050423a15dcbbb43_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	b34a1025cdde866e050423a15dcbbb43_JaffaCakes118.exe
File created	C:\Windows\java.exe	b34a1025cdde866e050423a15dcbbb43_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b34a1025cdde866e050423a15dcbbb43_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 3948	5096	b34a1025cdde866e050423a15dcbbb43_JaffaCakes118.exe	85
PID 5096 wrote to memory of 3948	5096	b34a1025cdde866e050423a15dcbbb43_JaffaCakes118.exe	85
PID 5096 wrote to memory of 3948	5096	b34a1025cdde866e050423a15dcbbb43_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\b34a1025cdde866e050423a15dcbbb43_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b34a1025cdde866e050423a15dcbbb43_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LNHEOAK4\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gonilxgy8i.log

Filesize
1KB

MD5
e6b2b4143b1c1e67893ec0636fcb8a7e

SHA1
ee11e8dc01e66f9a687a2fcb2f3cb6f3305dea40

SHA256
19e8cb883f2f8821cccf721467150cb3d67719ea2ac9bcaca813ce7367b5b46f

SHA512
fcf7ff714be214cb1c256d885bcaf1e3ac84f47bd0d0de3655fdb3a50288100ded532b214ff8d55c30c2ed0bc1fd1ab492aae584935678c8ca6e4f4e50a84952

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3706.tmp

Filesize
28KB

MD5
bf634557b6e5ea874436187497da94d6

SHA1
c511c8a07e8bc06b184f21a1912d8335ae6ac215

SHA256
aa0f4c0f65dc197738ba8373df01896607a1137c824d662c1819496a0bf42312

SHA512
4234e6abf8137c3a5236f4bb6f3e728ae4f3e6b739fc1f9bc09038618dbd109b0854e19932d2bd2662a62a1b44b1c358a731401301017ffc4038628977a1816d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
5b8b8291f6b22810a629f0059c56034e

SHA1
8b9a1b386caad53f22c5b4009a2ee3859debc10e

SHA256
bd0f81af7fe4e7f905ac4dd2ea0fde45bddcbd3959172ffff9b4273a45b4c710

SHA512
c3f24bb4778bdc5cd7a3c181065acb26b8092eaca70618122b1c5a913f59f5a5ef58cabfde1ef60f8f452be5e9e4efd971226570f4aebb85be72582aaeeab92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
ed6dc461bde5f9effc3fdb4f6ba75891

SHA1
a47a87d51034f064e337d83c48bc04f3e074cb9d

SHA256
d6d969be19229e6565fcbf96df78c6e7b450018fe69582871ffc4bc7759657a2

SHA512
fc5a20250361bd64545211397da908b1d57b9f6ffdbc9053dfbf2c5b35918beb5bc2da05240d6eaa2b4f6ca4bffb02f0353af492d46ac91f2811c35438907fa7

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3948-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3948-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3948-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3948-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3948-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3948-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3948-189-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3948-163-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3948-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3948-185-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3948-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3948-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3948-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3948-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3948-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3948-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5096-56-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5096-162-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5096-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5096-184-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5096-51-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5096-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads