mydoom | 2069199d07ce5ec4adf7b76c5e38cf404ba0e2f5d88c1e8e2aaf0ef96e09436f

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2025, 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7bc04706079ee3a6c7375ae98b08145f.exe
Size

28KB
MD5

7bc04706079ee3a6c7375ae98b08145f
SHA1

ab9a9bd4518f785042ed605f4c845c5d7c5f7423
SHA256

2069199d07ce5ec4adf7b76c5e38cf404ba0e2f5d88c1e8e2aaf0ef96e09436f
SHA512

1db82b15516a1f223f9eabdfe69987b653bfb497186448fb457d6f04038caa0e405536e130f84d56ddb46a1f6b76cd079f2849a4eb0214b67832c9c6afc2e716
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNJjBR:Dv8IRRdsxq1DjJcqfi7

Score

10^/10

mydoom discovery persistence upx worm

Malware Config

Signatures

Detects MyDoom family 10 IoCs

resource	yara_rule
behavioral2/memory/3944-13-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3944-32-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3944-37-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3944-237-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3944-251-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3944-258-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3944-275-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3944-295-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3944-297-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/3944-307-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
3652	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	JaffaCakes118_7bc04706079ee3a6c7375ae98b08145f.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3944-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x00080000000241f2-4.dat	upx
behavioral2/memory/3652-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3944-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3652-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3652-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3652-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3652-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3652-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3944-32-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3652-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3944-37-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3652-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000f000000024008-48.dat	upx
behavioral2/memory/3944-237-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3652-239-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3944-251-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3652-252-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3652-257-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3944-258-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3652-259-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3944-275-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3652-276-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3944-295-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3652-296-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3944-297-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3652-298-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3944-307-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3652-308-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\java.exe	JaffaCakes118_7bc04706079ee3a6c7375ae98b08145f.exe
File created	C:\Windows\java.exe	JaffaCakes118_7bc04706079ee3a6c7375ae98b08145f.exe
File created	C:\Windows\services.exe	JaffaCakes118_7bc04706079ee3a6c7375ae98b08145f.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7bc04706079ee3a6c7375ae98b08145f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 3652	3944	JaffaCakes118_7bc04706079ee3a6c7375ae98b08145f.exe	86
PID 3944 wrote to memory of 3652	3944	JaffaCakes118_7bc04706079ee3a6c7375ae98b08145f.exe	86
PID 3944 wrote to memory of 3652	3944	JaffaCakes118_7bc04706079ee3a6c7375ae98b08145f.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7bc04706079ee3a6c7375ae98b08145f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7bc04706079ee3a6c7375ae98b08145f.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0A9DTZBH\search[3].htm

Filesize
123KB

MD5
493728881335de65dcd285a8d61dd11d

SHA1
ddf860008603ef18132f01115c25ecb3218d7522

SHA256
af8db95a154873937702db4b459840c1d97c2fa27381ac3ec4852fdef74af0ba

SHA512
094dc55895f70f3fabb4aa005121778bb0597ddf0894beb32c1850636b79eba2aacb20599882108a25b391210aa5a4f580ad6548e82b8285f52e9eaa850dba04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1LMZA12E\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1LMZA12E\search[3].htm

Filesize
138KB

MD5
d08f4f64a1918425ccb8f15f327f82e1

SHA1
f67fa44077ee68828edeaca23e2cce1d81ff1371

SHA256
c5f3cce8c065c3eb4d67edf03ec0bda7bc1c8bc880e978b0704133be22d912fd

SHA512
eadc5adf86d2c9aa18363eeb687d80854128a621cb8cdcfd0f324e2b096aec7c846ffa2051020995ed077a6c67a2d65beda229db3a09434ca4406bde7f597fbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1YAN2J8O\MZAWETZZ.htm

Filesize
153KB

MD5
996b0a91f29d3443352f3785fd9bd2ce

SHA1
bdaaa7c921524eb25b2ddbaa0721eb3d2b67a551

SHA256
51ffc3390e5031a5b02d8621a2b005b9e8b5d57d39ffab29afe6ed2f487fc129

SHA512
161e28f38157fc1d463792713709013b252211be6b3c5305b6e5fa134849534a57955c620de57db447497715ad971e75aae5b7454175edcfd04b685ee13f5850

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9jhuid.log

Filesize
1KB

MD5
68117ef88bd5ac8ec55fa1360e00804c

SHA1
d9205007e8eecb17fbe4a9267a3278e4dc52811c

SHA256
f26fb812f82dd2a4a3a7a83a98e0154394a37c66edbf9e24a8ee95db9aa35ae3

SHA512
a71cb30b5955bb60c3ad61d2bd6e18f427e347b0120e017d1a004b27f1128975986d9451a64147af6add5cd1ca1c3fa403554b988434eb60a1f7228af653f15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp32D5.tmp

Filesize
28KB

MD5
758c1ea9e4d07156a4648ab287744b43

SHA1
d4e6f059e9e08e09cf2b523b938d6fad2fad45ed

SHA256
38495684187e7c06599883bd53be91a513ef603eba472526278b290992006485

SHA512
d0436298aa4e67981194a3cb32f539f0a2bf28b798d9bb2b11a1bcd663b0eda9e8f0d8f576ae28ca5416c823b7f9936afbfc9852b1455d0978028754bab65b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
248eb63ceef9a177bba68d2ce492c50b

SHA1
a5b3394d8d053637b7d92a60eae387ddf68a9ac3

SHA256
dd4ee029e2caf3ec1f99023f8ba2a7109f870c9717a1373aaf399573e8241514

SHA512
04d0ad9063adeb2d36a5e85a0d7033bac4e8b931415464edc4687604c322202a49189c51b958ef407e8b085adc98c7cf5ea4d61073636b12837b55d25698b409

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
b12cc15b32b5e8064bf367d8e0c1b9a5

SHA1
56bd693f6510caaee4457527f285482970ebb1df

SHA256
8c8c576c6b039151cf3f60bcc348f2359abcfea5151ee560f885359a87e73313

SHA512
91fdb0995daf60eaef232c348e19768da5bc2514097321908e1c9eef96475b8424c0da4eb8ec578ca80eeaebfca163c1c34f59e36727613b9f3d8e36bc17e938

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
4698a4547ecf10f4eeaecbb11ee48d81

SHA1
0c08f3fb7cc1ebd5c4afd297ba3ca4e236095e1b

SHA256
928e1b79bb1acaf267e65f713741092a10c1ff5a5c0c2bd307f9191a9290fe68

SHA512
f3574528e4f0aa8c96550b091026b4ad12884acb1238ff89c0db38e7144effafcc951df07e36f7ab936029fc21efa9595d876ddc1f6db50cabf21e99e22fb512

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3652-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3652-252-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3652-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3652-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3652-308-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3652-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3652-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3652-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3652-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3652-298-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3652-239-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3652-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3652-296-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3652-276-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3652-257-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3652-259-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3944-258-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3944-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3944-275-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3944-37-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3944-295-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3944-251-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3944-297-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3944-237-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3944-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3944-307-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3944-32-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads