Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 01:09
Behavioral task
behavioral1
Sample
f197be49aa57c41d202aa65df0e8ce62_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f197be49aa57c41d202aa65df0e8ce62_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
f197be49aa57c41d202aa65df0e8ce62_JaffaCakes118.exe
-
Size
28KB
-
MD5
f197be49aa57c41d202aa65df0e8ce62
-
SHA1
9478f2c4ace7aeb988faf1d14cdc01cafe86e70b
-
SHA256
d34d97102778f0c229066b5480cbae65146fadec6f92b70e3b0cf129cb8b4a40
-
SHA512
ecd13ead8ae877f27502dfe62e1bfdc8903e1b7a0cbeb355e91bb494046b3cfee0268a06ecb9b3da49a867bab88e3ea4bbdd575f8b76c10d8f041ac2053c3dc8
-
SSDEEP
384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNhnUSanLo:Dv8IRRdsxq1DjJcqfydaLo
Malware Config
Signatures
-
Detects MyDoom family 11 IoCs
resource yara_rule behavioral2/memory/1464-13-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral2/memory/1464-27-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral2/memory/1464-143-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral2/memory/1464-180-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral2/memory/1464-182-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral2/memory/1464-187-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral2/memory/1464-220-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral2/memory/1464-222-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral2/memory/1464-226-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral2/memory/1464-267-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral2/memory/1464-274-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom -
Mydoom family
-
Executes dropped EXE 1 IoCs
pid Process 2024 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" f197be49aa57c41d202aa65df0e8ce62_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/1464-0-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/files/0x0008000000023cd1-4.dat upx behavioral2/memory/2024-5-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1464-13-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/2024-15-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2024-16-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2024-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2024-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1464-27-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/2024-28-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x0009000000023cef-41.dat upx behavioral2/memory/1464-143-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/2024-144-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1464-180-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/2024-181-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1464-182-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/2024-183-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1464-187-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/2024-188-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1464-220-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/2024-221-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1464-222-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/2024-223-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1464-226-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/2024-238-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1464-267-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/2024-268-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2024-270-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1464-274-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/2024-275-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe f197be49aa57c41d202aa65df0e8ce62_JaffaCakes118.exe File opened for modification C:\Windows\java.exe f197be49aa57c41d202aa65df0e8ce62_JaffaCakes118.exe File created C:\Windows\java.exe f197be49aa57c41d202aa65df0e8ce62_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f197be49aa57c41d202aa65df0e8ce62_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1464 wrote to memory of 2024 1464 f197be49aa57c41d202aa65df0e8ce62_JaffaCakes118.exe 83 PID 1464 wrote to memory of 2024 1464 f197be49aa57c41d202aa65df0e8ce62_JaffaCakes118.exe 83 PID 1464 wrote to memory of 2024 1464 f197be49aa57c41d202aa65df0e8ce62_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\f197be49aa57c41d202aa65df0e8ce62_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f197be49aa57c41d202aa65df0e8ce62_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
123KB
MD539f1c609abbdcd21d6333aad83674db4
SHA18f62a39bdc3cf70886b00851b4ffc0d484744f97
SHA2568a351a09406a6e468008410c0174f7445e15fddaaa9ca2f53f88eb3b729a6a74
SHA512327b4584985deefd4c7736ce1543aec41c7642bc85c5868d45e866747db153a9caa0999376c1d88aaaa737d3597d36736d97320bb95dfd5dfd114692f700e33d
-
Filesize
162KB
MD57aac51bc152bd2de2c9fa44447d9edc1
SHA1852a1b32aa12beb1b0929c7dc42ab205b1cd1712
SHA256eb572baef63cbaf942eb9350a144e814352beff807fd84024b071ce12c55dcb1
SHA51219d33aeb0cdd1f50a0a29c50a495c5f467bd3cb29ab017398ec67b3f0aac9974e5c7eeb0ae8f1f64c423835d8bf59ae14d832a6f7919e19dad124e5576176f9c
-
Filesize
129KB
MD5317559bc3db14e1c672732f662c67ab2
SHA13747f25de84035f94f15e194ea65a23925a85062
SHA25661dbce028881054551f88cfe4f1b1e79f8bdcd7a1e0816579f75154c5c484d4b
SHA5126ef83e3c5d6d11054246a250fa980ddc07f306e466161720a59ab24aeb142dcaede6804fe8489501c9e368f86ad6baad49695f700db53788f5ca82ba7653a3d5
-
Filesize
1KB
MD5211da0345fa466aa8dbde830c83c19f8
SHA1779ece4d54a099274b2814a9780000ba49af1b81
SHA256aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA51237fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
28KB
MD5f197be49aa57c41d202aa65df0e8ce62
SHA19478f2c4ace7aeb988faf1d14cdc01cafe86e70b
SHA256d34d97102778f0c229066b5480cbae65146fadec6f92b70e3b0cf129cb8b4a40
SHA512ecd13ead8ae877f27502dfe62e1bfdc8903e1b7a0cbeb355e91bb494046b3cfee0268a06ecb9b3da49a867bab88e3ea4bbdd575f8b76c10d8f041ac2053c3dc8
-
Filesize
1KB
MD54a665f4c2f086c28e1b9da673d437ff1
SHA13ae7754f47c6a8f181150f362315af3d8541b7a9
SHA256da844bbdc34a37b45ddbc8f581143d6ada77599736bf2ef7f170089cbf1ef225
SHA5122ed2ab564a9930186d2f71415d8de4cbba4529453966f16d0bd8aa5f70e3766ec3e06e47abc309f1dbd6952709af0fa382cef897a5317c16134d48e237680de8
-
Filesize
1KB
MD56065b2ea18c42268748756fa8dfe2a31
SHA121b63e9d9cb87caad370eff03a7a5d0b377058eb
SHA2567039d45ad7d4524e606ba2747ff35da56b0c1accb3c3c4600f42c1a5dbc24217
SHA512991cf19f40af991eae41b089a2fa22cbd20fb9de973bd208d1af50fce09c5632e9277f369a072044b861aaf00df44e630891841db3a7d1c5067ef51c7d3d5e5b
-
Filesize
1KB
MD55579831d23ba992cffa8419465f88d85
SHA183f69bad6706b5bed96a008abe1acf1daf4ab1c0
SHA256f6fbcb8bca4e251900d6acdae8b0e36ecdb31d342fc77877dd17459efcb1462f
SHA51202d57d8cc189b0403bf940ae1c2e165f3270601ffa9dcb0d76735df0d1cd487affd4b0189b65768ffa95cf9f732a994e7f8228ba2d36aaf8f660eb7cde376646
-
Filesize
1KB
MD58cd2768300b68d8852eb2fc46dd3085a
SHA1dcefaa9e6a7686b6f830c30505b28ddd7e1dd0cc
SHA2566056220ce3c7ae0376f9c1c916d70682899b027154ebe45009b9c35b7c91938b
SHA512a22fd1d86f1dded37c856b1d20319c847355dfc607d4963c7d233517c0a45cfb5fcb0b70d34722b12ae8b7a25053e032a64da4440d5b11d61d7556b9e5555474
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2