Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2025, 11:38
Behavioral task
behavioral1
Sample
JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe
-
Size
21KB
-
MD5
a9e780e8d7a70a0e2ff16e0c9ab47371
-
SHA1
8bcfd1a4848b81d2228cf0945d855065a0aea52d
-
SHA256
59a8f018a331e903f7b4d4546c2ecc113c3ea786d92565fcee20dcbff9c13910
-
SHA512
8421daa7d40313ebc87896ee909a3d31d6a1dce7c9c75ce788007fdf55ab5ca684de53b82674e6935d48cce6d8af61bef436d43256b93e0b86fe9291f81d4fd1
-
SSDEEP
384:FZcpzCIqdG3A3WUkx38GZDJuJbf1+o44u8gHzUDRReJ:SCIqdH/k1ZVcT194jp4nC
Score
10/10
Malware Config
Signatures
-
Detects MyDoom family 23 IoCs
resource yara_rule behavioral1/memory/3168-9-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5256-86-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/1704-87-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/1704-139-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5256-164-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/1704-165-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/1704-243-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/1704-296-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5256-295-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5256-394-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/1704-402-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5256-444-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/1704-445-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5256-472-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/1704-473-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5256-550-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5256-597-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/1704-598-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5256-623-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5256-633-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/1704-634-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5256-637-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/1704-640-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom -
Mydoom family
-
Executes dropped EXE 2 IoCs
pid Process 1704 lsass.exe 3168 lsass.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Traybar = "C:\\Windows\\lsass.exe" JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Traybar = "C:\\Windows\\lsass.exe" lsass.exe -
resource yara_rule behavioral1/memory/5256-0-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/files/0x0009000000024302-4.dat upx behavioral1/memory/3168-9-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5256-86-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/1704-87-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/1704-139-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5256-164-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/1704-165-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/1704-243-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/1704-296-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5256-295-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5256-394-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/1704-402-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5256-444-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/1704-445-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5256-472-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/1704-473-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5256-550-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5256-597-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/1704-598-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5256-623-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5256-633-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/1704-634-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5256-637-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/1704-640-0x0000000000800000-0x000000000080D000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Winamp 5.0 (en) Crack.exe lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\Kazaa Lite.com lsass.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\index.exe JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\Harry Potter.ShareReactor.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\WinRAR.v.3.2.and.key.com lsass.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\index.ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\index.ShareReactor.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\WinRAR.v.3.2.and.key.exe JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ICQ 4 Lite.exe lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\ru-RU\ICQ 4 Lite.exe lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\index.ShareReactor.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\Winamp 5.0 (en) Crack.exe lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\ko-KR\index.exe lsass.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\index.ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\Winamp 5.0 (en) Crack.ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\Winamp 5.0 (en).com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\Winamp 5.0 (en).com JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\Common Files\microsoft shared\ink\fi-FI\index.ShareReactor.com lsass.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\ICQ 4 Lite.exe lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\WinRAR.v.3.2.and.key.exe lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\index.com JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\Harry Potter.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\Harry Potter.com JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\Kazaa Lite.exe JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\Microsoft Office\Updates\Download\Winamp 5.0 (en).com JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\Winamp 5.0 (en).com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\ICQ 4 Lite.ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\index.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\index.exe lsass.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\D9DD1C02-B701-4BF3-9F81-58F1DD4DE0B5\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\Winamp 5.0 (en) Crack.ShareReactor.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\Winamp 5.0 (en).com JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Winamp 5.0 (en).ShareReactor.com JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\Winamp 5.0 (en) Crack.exe JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\Common Files\microsoft shared\ink\sl-SI\Winamp 5.0 (en) Crack.exe lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\Harry Potter.exe lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\et-EE\index.ShareReactor.com JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\WinRAR.v.3.2.and.key.com JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\Harry Potter.com JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\Winamp 5.0 (en) Crack.exe lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\Winamp 5.0 (en) Crack.ShareReactor.com JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\Common Files\microsoft shared\ink\hr-HR\Kazaa Lite.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\nl-NL\index.ShareReactor.com lsass.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\Winamp 5.0 (en) Crack.exe JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\Harry Potter.ShareReactor.com JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\index.exe JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\ICQ 4 Lite.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\Kazaa Lite.ShareReactor.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\pt-PT\Kazaa Lite.ShareReactor.com JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\ICQ 4 Lite.exe JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\Winamp 5.0 (en) Crack.ShareReactor.com lsass.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\Kazaa Lite.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\Winamp 5.0 (en).exe lsass.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\D9DD1C02-B701-4BF3-9F81-58F1DD4DE0B5\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\index.com JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\D9DD1C02-B701-4BF3-9F81-58F1DD4DE0B5\root\vfs\Winamp 5.0 (en).com lsass.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\index.ShareReactor.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\ICQ 4 Lite.ShareReactor.com JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\Common Files\microsoft shared\ink\lt-LT\index.ShareReactor.com JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\Winamp 5.0 (en).ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Winamp 5.0 (en) Crack.ShareReactor.com JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\D9DD1C02-B701-4BF3-9F81-58F1DD4DE0B5\root\vfs\Windows\assembly\GAC_MSIL\WinRAR.v.3.2.and.key.ShareReactor.com JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ICQ 4 Lite.ShareReactor.com lsass.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\ICQ 4 Lite.ShareReactor.com JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\index.com JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\WinRAR.v.3.2.and.key.com lsass.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\lsass.exe JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File created C:\Windows\lsass.exe JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe File opened for modification C:\Windows\lsass.exe lsass.exe File created C:\Windows\lsass.exe lsass.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2504 wrote to memory of 1704 2504 cmd.exe 89 PID 2504 wrote to memory of 1704 2504 cmd.exe 89 PID 2504 wrote to memory of 1704 2504 cmd.exe 89 PID 5240 wrote to memory of 3168 5240 cmd.exe 92 PID 5240 wrote to memory of 3168 5240 cmd.exe 92 PID 5240 wrote to memory of 3168 5240 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a9e780e8d7a70a0e2ff16e0c9ab47371.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5256
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\lsass.exeC:\Windows\lsass.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5240 -
C:\Windows\lsass.exeC:\Windows\lsass.exe2⤵
- Executes dropped EXE
PID:3168
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50ac5e8c9cab920c0207a249d1cfe6204
SHA1b7cb237b9b7b68c419f82264590dc64cdc14470d
SHA25663391dc3e4659905c4891bb77ce088246c19639d67a17149d32cefca3e9c3d21
SHA512159955c3ebdbb86cf0db164ecafa77b949e76da782b9bc48308fb1fb87948c638f17d18efae7efb11e2d5ce13003b221223b160c868cb75e735000799bde9bb8
-
Filesize
21KB
MD5a9e780e8d7a70a0e2ff16e0c9ab47371
SHA18bcfd1a4848b81d2228cf0945d855065a0aea52d
SHA25659a8f018a331e903f7b4d4546c2ecc113c3ea786d92565fcee20dcbff9c13910
SHA5128421daa7d40313ebc87896ee909a3d31d6a1dce7c9c75ce788007fdf55ab5ca684de53b82674e6935d48cce6d8af61bef436d43256b93e0b86fe9291f81d4fd1