mydoom | 1fcdb5351a315b0ee7bc6eea2433d1d50783f368ae8de3fd5f7b99b36a1494d4

General

Target

JaffaCakes118_7d21c2d75cbd1132926aef4e124a1eb8.exe
Size

28KB
MD5

7d21c2d75cbd1132926aef4e124a1eb8
SHA1

73948945314abc1dc3ccc6c15bb4cdb972236c35
SHA256

1fcdb5351a315b0ee7bc6eea2433d1d50783f368ae8de3fd5f7b99b36a1494d4
SHA512

47a756f4aae6034c7929d51dc77a73b1e1ed11956c9d3271e19ad5b83cff6f810460a86fcb884bd0496ac6ceaf6db7f9f988797ede1d0e773356422c0342d304
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNvTJn:Dv8IRRdsxq1DjJcqfSn

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral2/memory/2468-13-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/2468-49-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/2468-76-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/2468-164-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/2468-183-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/2468-190-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
2332	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	JaffaCakes118_7d21c2d75cbd1132926aef4e124a1eb8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2468-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2332-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000b000000023b91-4.dat	upx
behavioral2/memory/2468-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2332-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2332-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2332-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2332-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2332-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2332-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2332-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2332-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2332-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2468-49-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2332-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0004000000000705-60.dat	upx
behavioral2/memory/2468-76-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2332-118-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2468-164-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2332-165-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2468-183-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2332-184-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2332-186-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2468-190-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2332-191-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	JaffaCakes118_7d21c2d75cbd1132926aef4e124a1eb8.exe
File opened for modification	C:\Windows\java.exe	JaffaCakes118_7d21c2d75cbd1132926aef4e124a1eb8.exe
File created	C:\Windows\java.exe	JaffaCakes118_7d21c2d75cbd1132926aef4e124a1eb8.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7d21c2d75cbd1132926aef4e124a1eb8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2332	2468	JaffaCakes118_7d21c2d75cbd1132926aef4e124a1eb8.exe	83
PID 2468 wrote to memory of 2332	2468	JaffaCakes118_7d21c2d75cbd1132926aef4e124a1eb8.exe	83
PID 2468 wrote to memory of 2332	2468	JaffaCakes118_7d21c2d75cbd1132926aef4e124a1eb8.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d21c2d75cbd1132926aef4e124a1eb8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d21c2d75cbd1132926aef4e124a1eb8.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMGLWGAG\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFE24.tmp

Filesize
28KB

MD5
21594c745fef0b7f4a1e11a9637f771a

SHA1
80ff4215e2d5b4ba7ae9d65369c790c1796612c6

SHA256
3d6d56bbcfde552cf1cb453ebd44714979bd5f451077f200f83089d1e3d26b95

SHA512
a9ed32d9861a6b4bdde686d3047ea9340740dbd74b30b5f6ba1a7916988759dc36ae2f550ddcf60b0ac31e0bddee1ea6cc2416f2f7deebf0fa94b6a56818af06

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
204b76b3f3dfbc1b9a5d82e548806d0a

SHA1
1a26c3c770eda1f01dd27da8cb0621b87af20909

SHA256
e6d56b3870cdc66569391e7c463f734b5fedf93643dd27838189a20e41189550

SHA512
bcf91187dc4219e17228fd378f1ac0f19dbdafc6dffa896926b63a211361952741b3ee78c2c0852181f71c8ca08f52b7d698d4c74649f9bfb4cb5f17b8f03f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
5fb4f10cfc278b5a7b819f8a5b753190

SHA1
86b35f00564ca74698cff823c2b81db7abb3100e

SHA256
f7eb78dc32046bb06deaba471d6ed069febf9551a8f045d9a9800b2d981b7a2d

SHA512
4ac536b0d0b1f55a3687976eeef6b8e8f956c77add16fcc3af047e33addde282e1a6844e96cfe179c4d42e9446c42c6a2d59a9f966b52cec1bb4e9d029924268

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
27401c01c8a47122baab82e52f6a6826

SHA1
dc70d84bf36a20e12229836f39796c42177d6130

SHA256
48355cceef88e73b537f5a305c5c606b228bb653dc27eaac1b5141ec1f2a9f4d

SHA512
03aa49ebfec3905c99017bb990e10b30c43a80aef735be90ce938071d8f2d940c719f8a443fd45059c7442699e1a9dcc9a435d8cbe1a0d0b586dd037b64cc29a

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2332-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2332-191-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2332-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2332-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2332-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2332-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2332-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2332-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2332-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2332-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2332-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2332-186-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2332-118-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2332-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2332-184-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2332-165-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2468-49-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2468-183-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2468-164-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2468-76-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2468-190-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2468-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2468-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads