mydoom | 7f9e894cf5830daa4e806eb76675c3990e2d6d1da6e9151bd723d3c2832230df

General

Target

JaffaCakes118_040b6c9a188e279bd53c84de33fb9570.exe
Size

28KB
MD5

040b6c9a188e279bd53c84de33fb9570
SHA1

79725513817c0504a087e2adee284fc8eb9b19c9
SHA256

7f9e894cf5830daa4e806eb76675c3990e2d6d1da6e9151bd723d3c2832230df
SHA512

8460b891afe8fd510f8a44a0736a7b8c4131b49e609daa3d6ed41a3d5c73bb06825633214106be130295205bcaebc2717a4aa77fb6c09a9670ee94f87d01477d
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNFRLLn:Dv8IRRdsxq1DjJcqfURvn

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 5 IoCs

resource	yara_rule
behavioral2/memory/3900-13-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3900-56-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3900-123-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3900-153-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3900-157-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
2040	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	JaffaCakes118_040b6c9a188e279bd53c84de33fb9570.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3900-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x000b000000023bab-4.dat	upx
behavioral2/memory/2040-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3900-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2040-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2040-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2040-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2040-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2040-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2040-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2040-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2040-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2040-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2040-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2040-52-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3900-56-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2040-57-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0003000000000705-62.dat	upx
behavioral2/memory/3900-123-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2040-128-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3900-153-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2040-154-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3900-157-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2040-158-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	JaffaCakes118_040b6c9a188e279bd53c84de33fb9570.exe
File opened for modification	C:\Windows\java.exe	JaffaCakes118_040b6c9a188e279bd53c84de33fb9570.exe
File created	C:\Windows\java.exe	JaffaCakes118_040b6c9a188e279bd53c84de33fb9570.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_040b6c9a188e279bd53c84de33fb9570.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 2040	3900	JaffaCakes118_040b6c9a188e279bd53c84de33fb9570.exe	83
PID 3900 wrote to memory of 2040	3900	JaffaCakes118_040b6c9a188e279bd53c84de33fb9570.exe	83
PID 3900 wrote to memory of 2040	3900	JaffaCakes118_040b6c9a188e279bd53c84de33fb9570.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_040b6c9a188e279bd53c84de33fb9570.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_040b6c9a188e279bd53c84de33fb9570.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6131.tmp

Filesize
28KB

MD5
24bf638863a1b4c81af13383a8f8a66b

SHA1
531ac5a85828ab1a3351ff29a3765c0c9d2175ca

SHA256
7dc7d2331f43b335ea80ff6fb6ce0c047d5225e2aac5e949492a353febb45154

SHA512
b87f7e475ee1f0b243f4f332d3cd9341aa50ce8c3fe4f3f229a5673f678bfc73c5c994fd7ca22ac48813feb58cae124f93ea9ac27b287f959bc4445924f3727e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
36e65b3da6a93a3c99ae4a4eada74f6c

SHA1
0483c46f03c018759b5e277a31903defaafdaf11

SHA256
4449c441ae93c714ad34cf76cde41eed58d46b33078f00aaa2d5bcba5ce785ba

SHA512
b52d154281d3138a167017f8ae22ea7704d37fdc656e460c474955dc22412b064a1d81a9f874b9d102f93da47f40f9b595be5aaab8fd5e8a2df23f4e566b3b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
9eace51c18352d5b4ecef4477ef39492

SHA1
3f79e21cbda372fbc53762d4e747643b8ead7a6e

SHA256
45c0fd289a3d762d312ef2d8ba4ec37c7db23a8bdf53a51bb4cffde8194f3c57

SHA512
ce2a8e2815bbfa7fa68bd87286f0dcae6fd19331b36a10b96aa87a417b4f6a29f3af9f6a81cb43ab2f20559ed938b92aa1599b6dd082fa541da7b472cf54ef50

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2040-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2040-128-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2040-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2040-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2040-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2040-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2040-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2040-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2040-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2040-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2040-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2040-158-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2040-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2040-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2040-154-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2040-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3900-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3900-123-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3900-153-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3900-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3900-157-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3900-56-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads