mydoom | 1eb476a5da5476a3f514ef0daaf2683d2f54c60a4922a99399524cb1c0033dc8

General

Target

JaffaCakes118_6a3cce621661fcfd563c8d3908442850.exe
Size

28KB
MD5

6a3cce621661fcfd563c8d3908442850
SHA1

b63702cc773a49a31a02318b0068376f8d5f4b32
SHA256

1eb476a5da5476a3f514ef0daaf2683d2f54c60a4922a99399524cb1c0033dc8
SHA512

a0b96bf212a813e7a764672843574dcb2b3fe3ddca51c100aa7ba8cf4b4ea53b09cc60fad01b4d86ec2a07bf0759a6fe1506d93fac53e4e43d70614585eb3148
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyN8EM+qh9NZ:Dv8IRRdsxq1DjJcqfy2DZ

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral1/memory/2388-16-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2388-55-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2388-60-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2388-79-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2388-83-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2388-88-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
3012	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	JaffaCakes118_6a3cce621661fcfd563c8d3908442850.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2388-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2388-4-0x00000000001B0000-0x00000000001B8000-memory.dmp	upx
behavioral1/files/0x0009000000018b05-7.dat	upx
behavioral1/memory/3012-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2388-16-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3012-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3012-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3012-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3012-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3012-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3012-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3012-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3012-44-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3012-49-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3012-54-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2388-55-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3012-56-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2388-60-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3012-61-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0008000000018b59-71.dat	upx
behavioral1/memory/2388-79-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3012-80-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2388-83-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3012-84-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2388-88-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3012-89-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	JaffaCakes118_6a3cce621661fcfd563c8d3908442850.exe
File opened for modification	C:\Windows\java.exe	JaffaCakes118_6a3cce621661fcfd563c8d3908442850.exe
File created	C:\Windows\java.exe	JaffaCakes118_6a3cce621661fcfd563c8d3908442850.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6a3cce621661fcfd563c8d3908442850.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 3012	2388	JaffaCakes118_6a3cce621661fcfd563c8d3908442850.exe	29
PID 2388 wrote to memory of 3012	2388	JaffaCakes118_6a3cce621661fcfd563c8d3908442850.exe	29
PID 2388 wrote to memory of 3012	2388	JaffaCakes118_6a3cce621661fcfd563c8d3908442850.exe	29
PID 2388 wrote to memory of 3012	2388	JaffaCakes118_6a3cce621661fcfd563c8d3908442850.exe	29

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a3cce621661fcfd563c8d3908442850.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a3cce621661fcfd563c8d3908442850.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE6A9.tmp

Filesize
28KB

MD5
9b427aca8be271427347a8ab98c662d3

SHA1
95cad11355b8ff2bec96a61dde9227571178e4d9

SHA256
dbfd7d1e981c19f4c5dffd2583cfad77c3631487a727b0b729ca5cf7927d5d29

SHA512
fc53b5871b0c875bcb8a0e10859bc5ae99a3847299758ca327d2948d15453a6e777a3ef0214ecb60fda6f15e13e19028b23b5563700f8fba499b03ba58e24826

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
f9624dc9ff374f9ebb3c2bed165588b3

SHA1
41512d2ed54aabe88f02283bdd204b013c3d8444

SHA256
67ed365cdd8020be5507dbca7661757ef0999fef23a22cb04547708667d13d86

SHA512
a1f0733ad4f0e9132f9229a2846d18f4d917906aa0caa13f1cd19862ca7f44fdcef09f380883678c2c666d5f316890b058e6ff248f61d8d982eeb577f9177513

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
466e0612de31cae2a94d9dce54ebeb0d

SHA1
7143eb003d87ce33bb37abbb7961ca2b2e627b7b

SHA256
e9bfafa15b4ff49cf4167f4e9019ade409f4edf46f96c642e7e4a927616ae555

SHA512
faa39be161dd4e728d16953e5c6e59f79b1a48ce036c0de1bcc3271ca13887c74d3e718fa383af7940d9143eff353f626d0900670269abb5907d5a8954cf9497

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2388-17-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/2388-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2388-55-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2388-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2388-83-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2388-79-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2388-88-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2388-4-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/2388-60-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3012-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3012-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3012-49-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3012-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3012-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3012-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3012-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3012-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3012-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3012-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3012-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3012-80-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3012-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3012-84-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3012-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3012-89-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads