mydoom | 04b388fc0c7bacdecd97bdce79bd8cb5b00b8973f82408c877f209b7aa279813

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
Size

60KB
MD5

b2ae951c98bf12c2156ff8fa516ed028
SHA1

b62ca854b901ec103119571097f3b288369ba84e
SHA256

04b388fc0c7bacdecd97bdce79bd8cb5b00b8973f82408c877f209b7aa279813
SHA512

bbdef5d138e42ce50a642ef15a5579e6a082f851f4d87fc0f37743f95e76f0549537f8d14f45462bdf6b07eae005f3977f9fbc4062219d6d95757ebe6ae923dd
SSDEEP

1536:/g7wc1aGNC0klI7CPN3cfmPxUYmy1MzK1wy3:I7wc1aOCo7C13zCzy1n1f

Score

10^/10

mydoom discovery persistence worm

Malware Config

Signatures

Detects MyDoom family 3 IoCs

resource	yara_rule
behavioral2/memory/2872-0-0x0000000000800000-0x000000000080A000-memory.dmp	family_mydoom
behavioral2/files/0x00020000000226c9-6.dat	family_mydoom
behavioral2/memory/2872-23-0x0000000000800000-0x000000000080A000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Traybar = "C:\\Windows\\lsass.exe"	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WinRAR.v.3.2.and.key.ShareReactor.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\ICQ 4 Lite.ShareReactor.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\Harry Potter.ShareReactor.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\index.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\ICQ 4 Lite.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\ICQ 4 Lite.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\WinRAR.v.3.2.and.key.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\index.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Common Files\microsoft shared\Triedit\en-US\Kazaa Lite.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ICQ 4 Lite.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\Kazaa Lite.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\WinRAR.v.3.2.and.key.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\WinRAR.v.3.2.and.key.ShareReactor.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\Kazaa Lite.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\Winamp 5.0 (en) Crack.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\Winamp 5.0 (en) Crack.ShareReactor.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\Winamp 5.0 (en).ShareReactor.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\ICQ 4 Lite.ShareReactor.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Common Files\microsoft shared\Kazaa Lite.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\Winamp 5.0 (en).com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Kazaa Lite.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\Harry Potter.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\Kazaa Lite.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\index.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\D5CB943E-34B5-4AB4-9E81-6354A9C511C5\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\index.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\Winamp 5.0 (en) Crack.ShareReactor.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\Harry Potter.ShareReactor.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Harry Potter.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\index.ShareReactor.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\Winamp 5.0 (en).com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Winamp 5.0 (en) Crack.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\WinRAR.v.3.2.and.key.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\index.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\WinRAR.v.3.2.and.key.ShareReactor.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\index.ShareReactor.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\index.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\Winamp 5.0 (en) Crack.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\Winamp 5.0 (en) Crack.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Common Files\microsoft shared\VGX\Harry Potter.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\WinRAR.v.3.2.and.key.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\D5CB943E-34B5-4AB4-9E81-6354A9C511C5\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\Winamp 5.0 (en).com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\Winamp 5.0 (en) Crack.ShareReactor.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Winamp 5.0 (en).com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\ICQ 4 Lite.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\index.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\Kazaa Lite.ShareReactor.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\D5CB943E-34B5-4AB4-9E81-6354A9C511C5\root\vfs\Windows\assembly\GAC_MSIL\Harry Potter.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\ICQ 4 Lite.ShareReactor.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\ICQ 4 Lite.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\D5CB943E-34B5-4AB4-9E81-6354A9C511C5\Kazaa Lite.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Kazaa Lite.ShareReactor.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\ICQ 4 Lite.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\WinRAR.v.3.2.and.key.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\Harry Potter.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\index.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Winamp 5.0 (en) Crack.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\WinRAR.v.3.2.and.key.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\ICQ 4 Lite.ShareReactor.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\Harry Potter.ShareReactor.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\WinRAR.v.3.2.and.key.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\ICQ 4 Lite.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WinRAR.v.3.2.and.key.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\Harry Potter.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\Winamp 5.0 (en) Crack.com	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\lsass.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
File created	C:\Windows\lsass.exe	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b2ae951c98bf12c2156ff8fa516ed028.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ink\ar-SA\Winamp 5.0 (en) Crack.exe

Filesize
60KB

MD5
b2ae951c98bf12c2156ff8fa516ed028

SHA1
b62ca854b901ec103119571097f3b288369ba84e

SHA256
04b388fc0c7bacdecd97bdce79bd8cb5b00b8973f82408c877f209b7aa279813

SHA512
bbdef5d138e42ce50a642ef15a5579e6a082f851f4d87fc0f37743f95e76f0549537f8d14f45462bdf6b07eae005f3977f9fbc4062219d6d95757ebe6ae923dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3796.tmp

Filesize
59KB

MD5
5faae4e0e598a0cc33fe316846881d85

SHA1
51b2ecf331d9ab9b158cbdd87ee19ec44f2a90e8

SHA256
b56a549f31b17f05efedd9ed20ebd8a1ceb1e5b4dc45e48667aab9bbec0e341d

SHA512
599a450bf880c46ebdf87ad5f130874082136160a2b21c9d22b6fb476a13924c3d956ef8dfb0a5f491557a114197856d0470baafd69cef2af678ba8f0b184cef

Download Submit
memory/2872-0-0x0000000000800000-0x000000000080A000-memory.dmp

Filesize
40KB

Download
memory/2872-23-0x0000000000800000-0x000000000080A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads