mydoom | 3cbb34aced018541516812367b7bd3df163a5c628ccee8e46ebe7e1212366e10

General

Target

c264727a709d14efa7cdb815b4bd490f_JaffaCakes118.exe
Size

28KB
MD5

c264727a709d14efa7cdb815b4bd490f
SHA1

8a900172f482cac8ac4ca111a735d92af6aa181c
SHA256

3cbb34aced018541516812367b7bd3df163a5c628ccee8e46ebe7e1212366e10
SHA512

6fd7f4d3e0fbe81dd4bb122899301adc7f535b2b8d162ed2a3d641ddd4703961c6d964e9c9b49dd31b6a9ebf10a6168a813f28cbb11d3d385ae136163cc05fa1
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNE:Dv8IRRdsxq1DjJcqff

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral2/memory/2104-13-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/2104-49-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/2104-60-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/2104-152-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/2104-181-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/2104-188-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom

Executes dropped EXE 1 IoCs

pid	Process
2108	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2104-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x0008000000023584-4.dat	upx
behavioral2/memory/2108-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2104-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2108-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2108-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2108-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2108-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2108-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2108-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2108-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2108-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2108-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2104-49-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2108-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2104-60-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2108-61-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x00070000000226c8-62.dat	upx
behavioral2/memory/2104-152-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2108-153-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2104-181-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2108-182-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2108-184-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2104-188-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2108-189-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	c264727a709d14efa7cdb815b4bd490f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	c264727a709d14efa7cdb815b4bd490f_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	c264727a709d14efa7cdb815b4bd490f_JaffaCakes118.exe
File created	C:\Windows\java.exe	c264727a709d14efa7cdb815b4bd490f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c264727a709d14efa7cdb815b4bd490f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2108	2104	c264727a709d14efa7cdb815b4bd490f_JaffaCakes118.exe	91
PID 2104 wrote to memory of 2108	2104	c264727a709d14efa7cdb815b4bd490f_JaffaCakes118.exe	91
PID 2104 wrote to memory of 2108	2104	c264727a709d14efa7cdb815b4bd490f_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\c264727a709d14efa7cdb815b4bd490f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c264727a709d14efa7cdb815b4bd490f_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4628,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4060 /prefetch:8
1⤵
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0KP8BKDN\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XHVIU6BA\default[4].htm

Filesize
304B

MD5
267ddfdbb8d492b25de208d84b290f1c

SHA1
9f57d9f19f25549e1232489a0c101a92e851de2f

SHA256
ef1f87447ae1ab45548d2934cf0dbd15a32b86359ff9fccfa48d76c1badf6586

SHA512
0709aa62d39d419d335183235dcf328e1dfe6997bd9bfbdeb01bb050df8dcab63ec2d4f46e4718ab389fa8e12af66dec2e3019c8871ac6e40927a25cb706c6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEE48.tmp

Filesize
28KB

MD5
1f653d0e7f8f59d7a373ee734455b363

SHA1
c9c00ea5f6c6657cf3728da9c6511c2f67829d56

SHA256
27b9609271d0ef3405bb0b9e94b1693cc2951928b0722c3b5cb8b26ff8f09345

SHA512
58662d98559da73efbb388367bd45b9b312911abb6a55663d128c72bb4546bdaeadbb2a00458d75c841fc4865f420ec7d45075a0a05cb063e47feac7fa33fb75

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
afec7abb86956a79e4cd060ec8d66d27

SHA1
e4cbd9788f728fa6783b8b6e84b68f823e801b96

SHA256
cd32e3d031538f18ef75b2bb786ab69b426d07deda33703898039aea00f4e63c

SHA512
a372f21b63cb72eadcc2c251a0095151014f1608fbd20c2e63eddf5fe4f43d7687efd2072eace7e94b391d7e2dc47534199ee071ad8a17c11e7b112c7f8a3f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
9767e605f135a1c1ab8f139b917c7c43

SHA1
0d8bcddf3f4b46c49fed4485a3de82456a717ee6

SHA256
558070856235a747d6b475e8db99b778c66a4ad0b807446a2b4563ff2b3e2b61

SHA512
f907dffd7bd664286f8ed744e2acf4a54789d56030615c124b632e95ef415ba9cb1539ed73a24bcb4bffcc89f772d3e255dc970ec2d69e61189847a7feeeb9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
49c8beeb486c7f3f58fe991ffc3251df

SHA1
3f80ee34d57f16a40335320a73ecbb1abb80ae2a

SHA256
2717e8d1abe0dcf613f12c65afea9a5772003a02317f73c2920ec0164b4b96ed

SHA512
c3d2d2c83aff4df5348917c803e3abcbdc8c75d7b1e5e34a0a8cdc63a01fb2635b1a39927c17573252f88b7a762a4058b68fe1f08663c38ee226f71b688aa671

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2104-152-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2104-181-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2104-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2104-188-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2104-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2104-60-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2104-49-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2108-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2108-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2108-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2108-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2108-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2108-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2108-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2108-153-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2108-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2108-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2108-182-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2108-184-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2108-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2108-189-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2108-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2108-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads