mydoom | 477a87c37b59893daea95412895af6d7c88e05a5f5525dd82b94ad05caf21695

General

Target

JaffaCakes118_89b26bbd1ab896ecfd2d8f8610d30adb.exe
Size

28KB
MD5

89b26bbd1ab896ecfd2d8f8610d30adb
SHA1

a859b396dbc31033ec3849ab58419d9c94a30aa4
SHA256

477a87c37b59893daea95412895af6d7c88e05a5f5525dd82b94ad05caf21695
SHA512

64c7147eb0c43eba0f5f60730c9181301a2c057c76d2db9dacf7ff5d51ab401b13c43eda59ed4d7fb5410d722ba19d88b701bcf2fc0410005077b786a2adedf6
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNq:Dv8IRRdsxq1DjJcqfJ

Score

10^/10

Malware Config

Signatures

Detects MyDoom family 7 IoCs

resource	yara_rule
behavioral2/memory/116-13-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/116-44-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/116-178-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/116-236-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/116-240-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/116-247-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom
behavioral2/memory/116-265-0x0000000000500000-0x0000000000510000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Executes dropped EXE 1 IoCs

pid	Process
3436	services.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	JaffaCakes118_89b26bbd1ab896ecfd2d8f8610d30adb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/116-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x0008000000024241-4.dat	upx
behavioral2/memory/3436-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/116-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3436-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3436-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3436-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3436-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3436-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3436-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3436-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3436-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/116-44-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3436-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0011000000024086-55.dat	upx
behavioral2/memory/116-178-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3436-179-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/116-236-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3436-237-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/116-240-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3436-241-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3436-246-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/116-247-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3436-248-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/116-265-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3436-266-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	JaffaCakes118_89b26bbd1ab896ecfd2d8f8610d30adb.exe
File opened for modification	C:\Windows\java.exe	JaffaCakes118_89b26bbd1ab896ecfd2d8f8610d30adb.exe
File created	C:\Windows\java.exe	JaffaCakes118_89b26bbd1ab896ecfd2d8f8610d30adb.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_89b26bbd1ab896ecfd2d8f8610d30adb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 3436	116	JaffaCakes118_89b26bbd1ab896ecfd2d8f8610d30adb.exe	86
PID 116 wrote to memory of 3436	116	JaffaCakes118_89b26bbd1ab896ecfd2d8f8610d30adb.exe	86
PID 116 wrote to memory of 3436	116	JaffaCakes118_89b26bbd1ab896ecfd2d8f8610d30adb.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_89b26bbd1ab896ecfd2d8f8610d30adb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_89b26bbd1ab896ecfd2d8f8610d30adb.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MHD417D2\J31EJTMC.htm

Filesize
153KB

MD5
720be25c712bcffc6b0d46239ffa9b06

SHA1
f506a9bce1a2de6cf8b7de1324650610bf412701

SHA256
5ee8c2c1c5846d4973b7d3b4f34ba52fc08aadf3f0fd65be0b79d6e4bf28df35

SHA512
756d7777f868b9a20a022123dae2fb4f39678e14cc1d4f1aa72de9e00b58f2b7305cd780fc8f1c29496d37c073f80b25f416e203e64040f3896818a575e0b46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W212EQCE\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsVciwwxod.log

Filesize
1KB

MD5
6ae31a3527ac83e3692750217be4f281

SHA1
9fb50c4a0ca6f07f80b68ea014c115d583552e63

SHA256
dd5b8401a47ff98d1f7e3b2faf6967ccca48a9036b34f39fefcc75ad7292a37e

SHA512
9b55dfe8efb272d79670d85600771c731cdd9baf7624effcd96da38c504e61b34f3a8fc7b2023ec8d33d50a4d1d6517530f26b072ed8c366b53b4f14dac7af98

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpADD1.tmp

Filesize
28KB

MD5
65c886ccb5005361fc90a6a66f8ee638

SHA1
28d7480f5df3fbf9e13f5908ee004016133e5eb0

SHA256
2a5cfe4e67fe883ee825dff1f6db01fb0e950b0cb3b3b065f8706daac0aa0914

SHA512
3ea023d506b1dd9cfabf6939b20ef0c6a93c227df683ca9a29c00d461a38583a6b76780d2a4ed62cbe81a4f6088885bf5882d965c7623bff945d0430d164cc03

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
927fc88d8374a77e5eb75bf701a3f166

SHA1
27e79c0946da9cc741a3e7bb7481454b7474f40e

SHA256
7dcc22e5e03d126d9116fa96c48fec55defdbd699f9aa1506b6ee3a20851bb45

SHA512
6b602bf36b9f12fad41d58679316c2b46b3aec11eaef0dcdacf7b10d1d658e521a95b07390a5b44f9b4df697ca749f564e2b725b960d1c42c55db48e31861ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
ce78d81472e4b77217895df912fc6ab2

SHA1
162880779975ef42fb8268861f2e6f127dfdbc39

SHA256
8ff8dd60e2a556d1901caa1d0d211a142e399b65af0f65e960e9269ceafe3010

SHA512
4cfea0f1f39d3b4475a3faba1c9f9c94754524e4b8a5ccc0a86846a4ec19b7354d0708ca9abf5159a0a7a784ef92d799909b1c0f28070d848ba063eedf141335

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
f7e032f1c0bb653a1f154b1ea3d8273f

SHA1
00926fd6569cc22481b7ff76b33ab68e815f5e31

SHA256
871807bb11f83842f4b283d895cc94920a075babae4b1f9b93f4baf164e8786d

SHA512
96b12e3020c9d6677e4ec5caf48d8c7e2f26cdcfc43bf52898e0df6e929e9adae26e3695f6b1664fd587bd8e00e2de3cb7e8a114cae52099dcd0a98b9e657fd5

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/116-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/116-236-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/116-240-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/116-178-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/116-247-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/116-44-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/116-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/116-265-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3436-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3436-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3436-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3436-179-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3436-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3436-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3436-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3436-237-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3436-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3436-241-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3436-246-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3436-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3436-248-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3436-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3436-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3436-266-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads