mydoom | e01c11b733e01186681bc6d98046f6d7e56eeee1b89be4dfefe43c0acc2d746f

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2025, 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
Size

54KB
MD5

638a4ce6e38d47606a529668963a64b4
SHA1

c4445f5b50e493420c1d2b6a049bc4e1d5fbca0b
SHA256

e01c11b733e01186681bc6d98046f6d7e56eeee1b89be4dfefe43c0acc2d746f
SHA512

99a1267b6111eb36be2940e123ccd11f2da5c619129a0ac871ed7da74d50b84643c54eddc1942c6205624273a99fe49d8a07f225949ccbe6b5a0788b31ecda45
SSDEEP

1536:SNqaLV8a6pFG7FFwz9Q5vBn6U/1WTD0tF:SNqMKIAzknpWTy

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 8 IoCs

resource	yara_rule
behavioral2/memory/1364-3-0x0000000000800000-0x000000000080D000-memory.dmp	family_mydoom
behavioral2/memory/1364-5-0x0000000000800000-0x000000000080D000-memory.dmp	family_mydoom
behavioral2/memory/1364-7-0x0000000000800000-0x000000000080D000-memory.dmp	family_mydoom
behavioral2/memory/1364-9-0x0000000000800000-0x000000000080D000-memory.dmp	family_mydoom
behavioral2/memory/1364-11-0x0000000000800000-0x000000000080D000-memory.dmp	family_mydoom
behavioral2/memory/1364-13-0x0000000000800000-0x000000000080D000-memory.dmp	family_mydoom
behavioral2/memory/1364-91-0x0000000000800000-0x000000000080D000-memory.dmp	family_mydoom
behavioral2/memory/1364-140-0x0000000000800000-0x000000000080D000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Traybar = "C:\\Windows\\lsass.exe"	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1364-0-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/1364-3-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/1364-5-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/1364-7-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/1364-9-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/1364-11-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/1364-13-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/files/0x0003000000000713-18.dat	upx
behavioral2/memory/1364-91-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/1364-140-0x0000000000800000-0x000000000080D000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\Kazaa Lite.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Kazaa Lite.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Harry Potter.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\Winamp 5.0 (en) Crack.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\Winamp 5.0 (en) Crack.ShareReactor.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\index.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\Winamp 5.0 (en) Crack.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\Winamp 5.0 (en) Crack.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Winamp 5.0 (en) Crack.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\Winamp 5.0 (en) Crack.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\index.ShareReactor.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\Winamp 5.0 (en) Crack.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\Winamp 5.0 (en).exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\Winamp 5.0 (en) Crack.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\Kazaa Lite.ShareReactor.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\index.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\ICQ 4 Lite.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\ICQ 4 Lite.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\ICQ 4 Lite.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WinRAR.v.3.2.and.key.ShareReactor.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Winamp 5.0 (en) Crack.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\Kazaa Lite.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\Kazaa Lite.ShareReactor.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ICQ 4 Lite.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\Kazaa Lite.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WinRAR.v.3.2.and.key.ShareReactor.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WinRAR.v.3.2.and.key.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WinRAR.v.3.2.and.key.ShareReactor.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\ICQ 4 Lite.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\Harry Potter.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\Kazaa Lite.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Winamp 5.0 (en).exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Winamp 5.0 (en) Crack.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\Kazaa Lite.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\ICQ 4 Lite.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\Kazaa Lite.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\Kazaa Lite.ShareReactor.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\Winamp 5.0 (en) Crack.ShareReactor.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\TextConv\index.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Winamp 5.0 (en).exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\Winamp 5.0 (en).ShareReactor.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\WinRAR.v.3.2.and.key.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\WinRAR.v.3.2.and.key.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\ICQ 4 Lite.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\Kazaa Lite.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\Kazaa Lite.ShareReactor.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\ICQ 4 Lite.ShareReactor.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\Winamp 5.0 (en).exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\ICQ 4 Lite.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\ICQ 4 Lite.ShareReactor.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\Kazaa Lite.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\index.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ICQ 4 Lite.ShareReactor.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WinRAR.v.3.2.and.key.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\WinRAR.v.3.2.and.key.ShareReactor.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\Triedit\WinRAR.v.3.2.and.key.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Harry Potter.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\Winamp 5.0 (en) Crack.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\Kazaa Lite.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\ICQ 4 Lite.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\index.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\Winamp 5.0 (en) Crack.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\Winamp 5.0 (en) Crack.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\WinRAR.v.3.2.and.key.com	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\lsass.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
File created	C:\Windows\lsass.exe	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_638a4ce6e38d47606a529668963a64b4.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ink\ar-SA\ICQ 4 Lite.exe

Filesize
54KB

MD5
638a4ce6e38d47606a529668963a64b4

SHA1
c4445f5b50e493420c1d2b6a049bc4e1d5fbca0b

SHA256
e01c11b733e01186681bc6d98046f6d7e56eeee1b89be4dfefe43c0acc2d746f

SHA512
99a1267b6111eb36be2940e123ccd11f2da5c619129a0ac871ed7da74d50b84643c54eddc1942c6205624273a99fe49d8a07f225949ccbe6b5a0788b31ecda45

Download Submit
memory/1364-0-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1364-3-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1364-5-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1364-7-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1364-9-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1364-11-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1364-13-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1364-91-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1364-140-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads