mydoom | 0bbf671900fc70586195a7b96d4017ee9f876c7d1c0253aa51794d7f86ccde27

General

Target

JaffaCakes118_78f0c78732c9e390523a86c69e29a05e.exe
Size

28KB
MD5

78f0c78732c9e390523a86c69e29a05e
SHA1

bc45fbc404021d2f0c8613cda491dca1b89bae2a
SHA256

0bbf671900fc70586195a7b96d4017ee9f876c7d1c0253aa51794d7f86ccde27
SHA512

e4fd632ac3eb0c3524fd172d78d90f3babb65f4e9a7cc833f94e67b068a5c036eb41047c8a5d888b246902b7761848988a7839fae1ea6650635a74681038b5de
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNLIo2Su:Dv8IRRdsxq1DjJcqfe8Su

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 8 IoCs

resource	yara_rule
behavioral1/memory/2408-17-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2408-48-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2408-53-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2408-72-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2408-76-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2408-81-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2408-83-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral1/memory/2408-88-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
1732	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	JaffaCakes118_78f0c78732c9e390523a86c69e29a05e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2408-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2408-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/files/0x0008000000017403-7.dat	upx
behavioral1/memory/1732-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2408-9-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/memory/2408-17-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1732-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1732-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1732-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1732-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1732-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1732-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1732-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1732-44-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2408-48-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1732-49-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2408-53-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1732-54-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-64.dat	upx
behavioral1/memory/2408-72-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1732-73-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2408-76-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1732-77-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2408-81-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1732-82-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2408-83-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1732-84-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2408-88-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1732-89-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	JaffaCakes118_78f0c78732c9e390523a86c69e29a05e.exe
File opened for modification	C:\Windows\java.exe	JaffaCakes118_78f0c78732c9e390523a86c69e29a05e.exe
File created	C:\Windows\java.exe	JaffaCakes118_78f0c78732c9e390523a86c69e29a05e.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_78f0c78732c9e390523a86c69e29a05e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1732	2408	JaffaCakes118_78f0c78732c9e390523a86c69e29a05e.exe	30
PID 2408 wrote to memory of 1732	2408	JaffaCakes118_78f0c78732c9e390523a86c69e29a05e.exe	30
PID 2408 wrote to memory of 1732	2408	JaffaCakes118_78f0c78732c9e390523a86c69e29a05e.exe	30
PID 2408 wrote to memory of 1732	2408	JaffaCakes118_78f0c78732c9e390523a86c69e29a05e.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78f0c78732c9e390523a86c69e29a05e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78f0c78732c9e390523a86c69e29a05e.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp743.tmp

Filesize
28KB

MD5
9d4bbf3a5dea4a47e9fbe9038d9bb5e5

SHA1
e5438905221b8e192c34d7e551ed5819221a6066

SHA256
e47cc8efa40750b3d60a97c266782c608eb93493444e136662a9943ec69623ee

SHA512
af54c46ad68a68a33114b14cc568805ebc25e2a120a0951fc0aaa9f442ec70cb1361bb0f9397a3e9bd41e49a36e9a8add0843445bb61195d5f6de69cdc54add4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
c020b40329d99055d45b4d564f56deae

SHA1
59042b5fbd63bf4d72ae44bc417afe4c94d66f92

SHA256
7d5bc09147223c52c68336a9e8adc1387e63dcba63aa72f9b466b01d2b5c991a

SHA512
a10855e77c7edf2ddb896465047f04764728faec40bce1a9e798c593d1cf86d74f00b78f08df934ebce66e3e1c9622eaba35d2d451214530a8515875bfa33385

Download Submit
C:\Users\Admin\AppData\Local\Temp\zjg9emFVcj.log

Filesize
1KB

MD5
d83558ec44befce0004974afe193ea4e

SHA1
27af0e4afbd16d31accffd73fb95f92d4940d54a

SHA256
707de7c2d47054df6ad472c260d636777333fe5e6665c07813bd36d27cc1bb40

SHA512
48fc096133578ee1fee0ec88fe65659b627cba0b542a089846f2809a1dec690abf412dc3adbf985f0bd93df81c62946ca136c487c2c65cf313c8e9fbf64319ee

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1732-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1732-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1732-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1732-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1732-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1732-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1732-82-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1732-84-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1732-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1732-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1732-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1732-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1732-49-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1732-73-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1732-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1732-89-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2408-48-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2408-72-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2408-53-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2408-76-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2408-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2408-81-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2408-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2408-83-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2408-9-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2408-88-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2408-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads