mydoom | e13544672d37641d0c5a286ef50ba755cf8eec649e0e0668f1d74b7fa6a38ff8

General

Target

JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe
Size

47KB
MD5

7893ade1869d84637d805ebec5f14fc1
SHA1

7f5a15dc0755c98ddb82aac5eba7949fdd575ad5
SHA256

e13544672d37641d0c5a286ef50ba755cf8eec649e0e0668f1d74b7fa6a38ff8
SHA512

c0f1eeb71e9efba9987514e7bb6aa9e1a032d9774c008a45799787f85381f3ac7e8e223a38b47bd34b79b027d4f3156137638562f49442ad8c04aa4385074658
SSDEEP

768:jv8IRRdsxq1DjJcq7g9Ot25cmxoCayf1v1iPfDmBGz5T:DxRTsxq1DjCPOtXHCaWiPfDwW5T

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 6 IoCs

resource	yara_rule
behavioral2/memory/4564-21-0x0000000000500000-0x0000000000515000-memory.dmp	family_mydoom
behavioral2/memory/4564-64-0x0000000000500000-0x0000000000515000-memory.dmp	family_mydoom
behavioral2/memory/4564-66-0x0000000000500000-0x0000000000515000-memory.dmp	family_mydoom
behavioral2/memory/4564-149-0x0000000000500000-0x0000000000515000-memory.dmp	family_mydoom
behavioral2/memory/4564-173-0x0000000000500000-0x0000000000515000-memory.dmp	family_mydoom
behavioral2/memory/4564-180-0x0000000000500000-0x0000000000515000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
1104	services.exe

Loads dropped DLL 1 IoCs

pid	Process
4564	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vcmgcd32.dl_	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe
File created	C:\Windows\SysWOW64\vcmgcd32.dll	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4564-0-0x0000000000500000-0x0000000000515000-memory.dmp	upx
behavioral2/memory/1104-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000a000000023b76-12.dat	upx
behavioral2/memory/4564-21-0x0000000000500000-0x0000000000515000-memory.dmp	upx
behavioral2/memory/1104-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1104-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1104-34-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1104-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1104-41-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1104-46-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1104-52-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1104-54-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1104-60-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4564-64-0x0000000000500000-0x0000000000515000-memory.dmp	upx
behavioral2/memory/1104-65-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4564-66-0x0000000000500000-0x0000000000515000-memory.dmp	upx
behavioral2/memory/1104-67-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0003000000000709-68.dat	upx
behavioral2/memory/4564-149-0x0000000000500000-0x0000000000515000-memory.dmp	upx
behavioral2/memory/1104-150-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4564-173-0x0000000000500000-0x0000000000515000-memory.dmp	upx
behavioral2/memory/1104-174-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1104-176-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4564-180-0x0000000000500000-0x0000000000515000-memory.dmp	upx
behavioral2/memory/1104-181-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe
File opened for modification	C:\WINDOWS\JAVA.EXE	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe
File opened for modification	C:\WINDOWS\SERVICES.EXE	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe
File opened for modification	C:\Windows\SYSTEM.INI	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe
File created	C:\Windows\services.exe	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe
File opened for modification	C:\Windows\java.exe	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4564	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe
4564	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4564	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 1104	4564	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe	82
PID 4564 wrote to memory of 1104	4564	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe	82
PID 4564 wrote to memory of 1104	4564	JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe	82

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7893ade1869d84637d805ebec5f14fc1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WQOY74U4\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4694.tmp

Filesize
47KB

MD5
bf81084bd19ccb5d9d9843ddb1771bf8

SHA1
18a99f572f51eb2d718e858862eefebee8d62b61

SHA256
9c888a9ecebad5e0419ca2feb9085ed33acc6270e151148fd992b4fee019215a

SHA512
4e564d999913ff0995d3ecf126b01273553d395f2c3c512fe2d480222fe4503b7c8a1aec4607b487726574434c30d4088fea18e94c55c866173735d76bfde8bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
64B

MD5
f01e803d539d272a5cad2c71da01c967

SHA1
96a73b308190a045ee744f87c19b3752d83a309a

SHA256
f0052f48c2f1395c2d3798b4731a437d2aadf89c086a483d70eb7d7046f9b628

SHA512
71572f763c6b98b8beea269a5b263dcc864e53927cf4f4d5593cf13dea75890349a9ae0a0284851751b0c607a17b0c104f34de7786222a54c3cec6403c4b6d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
64B

MD5
2dcc125f6d00906b17b297acaed69490

SHA1
869184b5947e12ca30f5656df73fa807a04a2868

SHA256
2350567ff89be199d26c580ab30fe0b70c8ef91e1250038cc85088d7cfbce552

SHA512
03cfa673dda7bd88adbbdcd94f59179dcdf90f99fba231a8675f775e4d8eb7b7578fa79ba3084f08beb52da8f5076a8b16b078e2c962cce58d19fe1bea78400c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
64B

MD5
6471c7ebdc435eed3930b55ec2293b5a

SHA1
e04738face5499124947d93de38417eb40cfe357

SHA256
33150bc5c76e78f7836bb88e87bc323592621d2c2a2eb8119c0142a0be1b599d

SHA512
42d97a6a1408c0f526e649545b312d54689a01b0b8c26dff70aeb3107358568621f1241be53188856d3280aef9f9f797a7bb8d2ab55998e507075417b66fb19f

Download Submit
C:\Windows\SysWOW64\vcmgcd32.dll

Filesize
36KB

MD5
ae22ca9f11ade8e362254b452cc07f78

SHA1
4b3cb548c547d3be76e571e0579a609969b05975

SHA256
20cbcc9d1e6bd3c7ccacbe81fd26551b2ccfc02c00e8f948b9e9016c8b401db6

SHA512
9e1c725758a284ec9132f393a0b27b019a7dde32dc0649b468152876b1c77b195abc9689b732144d8c5b4d0b5fcb960a3074264cab75e6681932d3da2a644bc1

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1104-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1104-34-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1104-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1104-41-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1104-46-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1104-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1104-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1104-150-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1104-181-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1104-176-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1104-65-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1104-174-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1104-67-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1104-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1104-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1104-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4564-58-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/4564-149-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/4564-21-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/4564-173-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/4564-66-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/4564-64-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/4564-180-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/4564-0-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/4564-7-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads