mydoom | 9d8ad90219a8be4b59b63d8078471efd262ede5e54298cd75abcacc1c8259a04

General

Target

JaffaCakes118_625bcacb2eb33e453be8e2d3fc61cf19.exe
Size

28KB
MD5

625bcacb2eb33e453be8e2d3fc61cf19
SHA1

a212a2a59ae687e5223f496b005e5ebd4db4b69d
SHA256

9d8ad90219a8be4b59b63d8078471efd262ede5e54298cd75abcacc1c8259a04
SHA512

daf87668319362bbe9c47e8e4272114275c2a834f68afb0705f4dfe544e5d59f648a3b77636e090761dd5d74eb7720b3f74f6e26f13d8e8a622765c61e251f91
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNms6QI:Dv8IRRdsxq1DjJcqfV

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral2/memory/2808-13-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/2808-49-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/2808-51-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/2808-137-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/2808-169-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/2808-176-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
2044	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	JaffaCakes118_625bcacb2eb33e453be8e2d3fc61cf19.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2808-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x000a000000023b90-4.dat	upx
behavioral2/memory/2044-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2808-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2044-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2044-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2044-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2044-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2044-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2044-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2044-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2044-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2044-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2808-49-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2044-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2808-51-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2044-52-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0004000000000705-64.dat	upx
behavioral2/memory/2808-137-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2044-144-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2808-169-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2044-170-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2044-172-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2808-176-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2044-177-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	JaffaCakes118_625bcacb2eb33e453be8e2d3fc61cf19.exe
File created	C:\Windows\services.exe	JaffaCakes118_625bcacb2eb33e453be8e2d3fc61cf19.exe
File opened for modification	C:\Windows\java.exe	JaffaCakes118_625bcacb2eb33e453be8e2d3fc61cf19.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_625bcacb2eb33e453be8e2d3fc61cf19.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2044	2808	JaffaCakes118_625bcacb2eb33e453be8e2d3fc61cf19.exe	83
PID 2808 wrote to memory of 2044	2808	JaffaCakes118_625bcacb2eb33e453be8e2d3fc61cf19.exe	83
PID 2808 wrote to memory of 2044	2808	JaffaCakes118_625bcacb2eb33e453be8e2d3fc61cf19.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_625bcacb2eb33e453be8e2d3fc61cf19.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_625bcacb2eb33e453be8e2d3fc61cf19.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L6PPXFHA\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp29F6.tmp

Filesize
28KB

MD5
7209d23e724e6da12d5785330bb00045

SHA1
ab847df35e80537d7437e5856fb9d206cba4257c

SHA256
1a385c47fd46911b1e3eafde41ca13ff46befe0f2397491f439d59003599e04a

SHA512
bf18cc2eeff751efb923de560073beb4e4ad02c234a227b93095bd87f3c24bbfd227f790e4c4b20f06afd788563476a8de86da4dd221c1f2b91e30b84a0a6adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
de41bbee6ede7dccc96d225df24d20a3

SHA1
d5928ad928531b7d5902e101df922eb4c30c35d8

SHA256
49301c4ff403133f3322dc2d4059c15db044d25028fbef6756167b7f59daedca

SHA512
0dc411cf167af48019533f2180b51e43d8adbb05c20a4d5a990bb65623d8c8a8251d4308b650daf1f12fa963bfaaa9b74254179e6ca67c3d0647ca782b173c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
9c91e8c864e39146f7e598fac40a8d28

SHA1
931d37a7c34bc3c84b40a6cfc269f22b6e83eb0f

SHA256
70cc820aa3a11aa905a5e1646121d9339b67f9499b446a9f7d321c32b5b55eb9

SHA512
86b7d6989156fea36ff98a17d0921c3005c57e502ff158085c387f57e3e06497531584aa416c8f8a103925320d16bd48765e5ff0bb99e9f8ef002f1982a6aa8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
0d7eac4696d2d7458e59b4ba8cae362a

SHA1
f8e8385e2b31b8986e09f15015d01e59f85d792c

SHA256
de079be0ef26bbf58da3248cbee9109391a04cbe135eab55baf5bb4b54212a4c

SHA512
d18cd6fa733f22ceab7f8fedebe566a82408b64049ae62c16a0d5078fe2ddbb053885c13100d08474db8cb70a336fdb64ae6b2de89fcb422980150438f984d73

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2044-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2044-144-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2044-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2044-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2044-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2044-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2044-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2044-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2044-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2044-177-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2044-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2044-172-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2044-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2044-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2044-170-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2044-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2808-137-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2808-169-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2808-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2808-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2808-176-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2808-51-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2808-49-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads