mydoom | 4157dac85d1d0958494cf4d7c8fa1fc6d91b2e0248c1851f714adbc486852a96

General

Target

JaffaCakes118_54c2f5784285538c9b947dd4ae4f0f06.exe
Size

28KB
MD5

54c2f5784285538c9b947dd4ae4f0f06
SHA1

053103c3f768aadce845a744c7c2d7de7c5abcdb
SHA256

4157dac85d1d0958494cf4d7c8fa1fc6d91b2e0248c1851f714adbc486852a96
SHA512

8ee4b6c766938621fca8f4842c3428661c7f3d053c970589d73bd981d75128fec439b0b591a6174377aa11d0fc2def289216b6495f60e7ac2c5d19e2aed6a484
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNtfAw:Dv8IRRdsxq1DjJcqfEYw

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 9 IoCs

resource	yara_rule
behavioral1/memory/1732-2-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/1732-17-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/1732-49-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/1732-54-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/1732-73-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/1732-77-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/1732-82-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/1732-84-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/1732-89-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
1948	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	JaffaCakes118_54c2f5784285538c9b947dd4ae4f0f06.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1732-2-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1732-4-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0008000000016dd0-7.dat	upx
behavioral1/memory/1948-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1732-17-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1948-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1948-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1948-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1948-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1948-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1948-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1948-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1948-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1732-49-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1948-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1732-54-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1948-55-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0008000000016edb-68.dat	upx
behavioral1/memory/1732-73-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1948-74-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1732-77-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1948-78-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1732-82-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1948-83-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1732-84-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1948-85-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1732-89-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1948-90-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	JaffaCakes118_54c2f5784285538c9b947dd4ae4f0f06.exe
File opened for modification	C:\Windows\java.exe	JaffaCakes118_54c2f5784285538c9b947dd4ae4f0f06.exe
File created	C:\Windows\java.exe	JaffaCakes118_54c2f5784285538c9b947dd4ae4f0f06.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_54c2f5784285538c9b947dd4ae4f0f06.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1948	1732	JaffaCakes118_54c2f5784285538c9b947dd4ae4f0f06.exe	30
PID 1732 wrote to memory of 1948	1732	JaffaCakes118_54c2f5784285538c9b947dd4ae4f0f06.exe	30
PID 1732 wrote to memory of 1948	1732	JaffaCakes118_54c2f5784285538c9b947dd4ae4f0f06.exe	30
PID 1732 wrote to memory of 1948	1732	JaffaCakes118_54c2f5784285538c9b947dd4ae4f0f06.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54c2f5784285538c9b947dd4ae4f0f06.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54c2f5784285538c9b947dd4ae4f0f06.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1789.tmp

Filesize
28KB

MD5
d8ce5e2002982075f2a50871a61eb45f

SHA1
3a3aa1bc9c03589ded5295fa9edbf65ea8ce4a8c

SHA256
aa052874d7b12734a60409e2f001ab01e86bdef8eaa389522c88bdcab6c2fdfa

SHA512
cc1aa6ec2343e746b25bc4968ae4dbc1a900851db76b7daa521189e33ac12639d49ce13462ab7b171a59e11b66d9c2cdf5d17ed0b2506c14f6945a604772d709

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
cbf73ac41ef7624b48524fa513cd6752

SHA1
603fa45b2944afbd2b75b25700898f606943186a

SHA256
8415ea425813a32cee0c5fcac0674b9280a83495bc23ae987afc7465dd635295

SHA512
34ef97bf437a13ee2374ac90dc90c1a4ad9597385376717a0ffa2d1a8d7dc00b868dfe5237c8a77aa99e36e8a7f3630bb55831aade5c59ee5a6311d66f432bfd

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1732-77-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1732-49-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1732-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1732-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1732-89-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1732-84-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1732-82-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1732-2-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1732-73-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1732-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1732-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1732-54-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1948-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-78-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-83-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-85-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-90-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads