mydoom | 96da703b37824b95fcb27d76207aaa1ce0b4f284cec9e46c6428c85abd51eca1

General

Target

be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe
Size

48KB
MD5

be9ceb2dac61c202526045be51ac037b
SHA1

5126c0368dc9f3b9bc0eae496639f18144496b0b
SHA256

96da703b37824b95fcb27d76207aaa1ce0b4f284cec9e46c6428c85abd51eca1
SHA512

803cea81c50fe0e310b4d9c22a97c2227571e320dc1147677a199cf2d37112d6adf1922d7a3b1472d96bda894b4d515d83bc00d763ed7289181ec321962f4687
SSDEEP

768:jv8IRRdsxq1DjJcqOVBLUvTd2wmDkuBgs5vY2HJvqRTkoCmq1UrHI3Gr:DxRTsxq1DjCBBLUrGaeva1CmRrHI3i

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 5 IoCs

resource	yara_rule
behavioral2/memory/4704-21-0x0000000000500000-0x0000000000515000-memory.dmp	family_mydoom
behavioral2/memory/4704-66-0x0000000000500000-0x0000000000515000-memory.dmp	family_mydoom
behavioral2/memory/4704-71-0x0000000000500000-0x0000000000515000-memory.dmp	family_mydoom
behavioral2/memory/4704-164-0x0000000000500000-0x0000000000515000-memory.dmp	family_mydoom
behavioral2/memory/4704-190-0x0000000000500000-0x0000000000515000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom

Executes dropped EXE 1 IoCs

pid	Process
4184	services.exe

Loads dropped DLL 1 IoCs

pid	Process
4704	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4704-0-0x0000000000500000-0x0000000000515000-memory.dmp	upx
behavioral2/files/0x000700000002340f-12.dat	upx
behavioral2/memory/4184-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4704-21-0x0000000000500000-0x0000000000515000-memory.dmp	upx
behavioral2/memory/4184-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4184-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4184-34-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4184-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4184-41-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4184-46-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4184-52-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4184-54-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4184-60-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4184-65-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4704-66-0x0000000000500000-0x0000000000515000-memory.dmp	upx
behavioral2/memory/4184-67-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4704-71-0x0000000000500000-0x0000000000515000-memory.dmp	upx
behavioral2/memory/4184-72-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000c00000002342f-73.dat	upx
behavioral2/memory/4704-164-0x0000000000500000-0x0000000000515000-memory.dmp	upx
behavioral2/memory/4184-165-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4704-190-0x0000000000500000-0x0000000000515000-memory.dmp	upx
behavioral2/memory/4184-191-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4184-195-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vcmgcd32.dl_	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\vcmgcd32.dll	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\java.exe	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe
File created	C:\Windows\java.exe	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\JAVA.EXE	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SERVICES.EXE	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe
File opened for modification	C:\Windows\SYSTEM.INI	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe
File created	C:\Windows\services.exe	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4704	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe
4704	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4704	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 4184	4704	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe	84
PID 4704 wrote to memory of 4184	4704	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe	84
PID 4704 wrote to memory of 4184	4704	be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\be9ceb2dac61c202526045be51ac037b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JSDV0W5M\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMbma.log

Filesize
1KB

MD5
a22b16d8a39a2482828351565c214ac4

SHA1
51c59a8e09ad52e4d4767d8936d0d7b0af3a67f6

SHA256
e9cfa453291d7a09f554da1c89b81cf055462a4f5977a096a2e6071a4e12515f

SHA512
2ef48a5ddf36d5ed9294246a78c2061bcbd864e914c5a0337b2d8dbebf255ee53ff83d2d9d18795396d2dae1998bdb96e0c4b102869b61a8900a70650ca790d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp18DD.tmp

Filesize
48KB

MD5
39fd7d6b43a4f7f131e54939499a41c3

SHA1
c19ed60e4bcf275252c2917b47f94228bbb1a490

SHA256
9a5988e27be3fe1a2a273a631a43e711aca5736b17c1b48149f81d5dceb6bac3

SHA512
864c7f2c0df1cd10a4c6b38318d3db35225c8055fa957acb638fce71eb15efa2e450f528b05f70bbfcaa15deb7bfb094dfba2bea77e64a289b2af7880578ed55

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
ec5ecbc9ea39ae1c1946b2e6301d3e4d

SHA1
f205570133db924e97a3e3f724733673a602d301

SHA256
8be14338aa97b8535a6f27f9edc00edb81532662c1140427ce4ec5d7e077b411

SHA512
56b167e7be18108aa9b809644dd9949d4277d5871d4250fcd50d61b2344810660f2e1b6163ca0f02dd08f03c6a88776cda95b59c9c8cd2c5da7ee6fa2bb66b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
bae39783e4dc589d322778a83aa1a952

SHA1
77329a85b56c568f1886bad6b0cba97898cfbcb5

SHA256
169d6f2174e55f41b18da698a55f0a380186b491383da1804de4fdab99baddaa

SHA512
477a770b839ddad475334f2de2412d5770005c6d13d1a38dae43fc6dfc7bd86c323210555436cb67e59b7a9ea740b91671ac15a723d44d404395e8850a01e606

Download Submit
C:\Windows\SysWOW64\vcmgcd32.dll

Filesize
36KB

MD5
ae22ca9f11ade8e362254b452cc07f78

SHA1
4b3cb548c547d3be76e571e0579a609969b05975

SHA256
20cbcc9d1e6bd3c7ccacbe81fd26551b2ccfc02c00e8f948b9e9016c8b401db6

SHA512
9e1c725758a284ec9132f393a0b27b019a7dde32dc0649b468152876b1c77b195abc9689b732144d8c5b4d0b5fcb960a3074264cab75e6681932d3da2a644bc1

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/4184-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4184-195-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4184-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4184-41-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4184-46-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4184-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4184-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4184-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4184-191-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4184-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4184-65-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4184-34-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4184-67-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4184-165-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4184-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4184-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4704-66-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/4704-21-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/4704-164-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/4704-71-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/4704-7-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/4704-190-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/4704-58-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/4704-0-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads