Analysis
-
max time kernel
116s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
13/04/2025, 15:15
Behavioral task
behavioral1
Sample
JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe
Resource
win10v2004-20250410-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe
-
Size
50KB
-
MD5
b501c002871af9b1de8bc5dcd1657e76
-
SHA1
dd3371b024fea908b34ad7f336bd0750d7037753
-
SHA256
0a4092c70c0057648704eb6413d90639316f75bd67c940e5b8bb194cedd12c68
-
SHA512
8daef65a04fb73e9eb9b17d0f42ce7b890ad5f582f21fc68498d1cfa2874b3a2a212a4057f30e1f502e2282ad4be9e05f63472e36c93e42dba3d2c15e7a3cd82
-
SSDEEP
1536:SNqaLV8a6g5nWiWLjRJG32GHJTE5wYkNM:SNqMDALdJYBHJ4eQ
Score
10/10
Malware Config
Signatures
-
Detects MyDoom family 24 IoCs
resource yara_rule behavioral1/memory/1100-9-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5304-84-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/704-87-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/704-89-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/704-139-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5304-153-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/704-154-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/704-220-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5304-283-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/704-284-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/704-287-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5304-326-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/704-340-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5304-414-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/704-418-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5304-419-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5304-461-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/704-462-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5304-555-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/704-592-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5304-591-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5304-593-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/704-597-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom behavioral1/memory/5304-596-0x0000000000800000-0x000000000080D000-memory.dmp family_mydoom -
Mydoom family
-
Executes dropped EXE 2 IoCs
pid Process 704 lsass.exe 1100 lsass.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Traybar = "C:\\Windows\\lsass.exe" JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Traybar = "C:\\Windows\\lsass.exe" lsass.exe -
resource yara_rule behavioral1/memory/5304-0-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/files/0x0009000000023187-5.dat upx behavioral1/memory/1100-9-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5304-84-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/704-87-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/704-89-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/704-139-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5304-153-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/704-154-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/704-220-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5304-283-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/704-284-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/704-287-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5304-326-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/704-340-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5304-414-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/704-418-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5304-419-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5304-461-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/704-462-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5304-555-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/704-592-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5304-591-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5304-593-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/704-597-0x0000000000800000-0x000000000080D000-memory.dmp upx behavioral1/memory/5304-596-0x0000000000800000-0x000000000080D000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\Harry Potter.ShareReactor.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\index.exe JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\ICQ 4 Lite.exe JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\Winamp 5.0 (en) Crack.ShareReactor.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Common Files\microsoft shared\ink\zh-CN\Kazaa Lite.exe lsass.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\index.exe lsass.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WinRAR.v.3.2.and.key.exe JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\index.ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\WinRAR.v.3.2.and.key.ShareReactor.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\WinRAR.v.3.2.and.key.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Common Files\microsoft shared\TextConv\en-US\Winamp 5.0 (en).ShareReactor.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\Winamp 5.0 (en).ShareReactor.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\Harry Potter.exe JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\index.ShareReactor.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\Harry Potter.ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\Kazaa Lite.exe JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Winamp 5.0 (en) Crack.ShareReactor.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Common Files\microsoft shared\Stationery\ICQ 4 Lite.com lsass.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\Winamp 5.0 (en).exe lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\ICQ 4 Lite.ShareReactor.com lsass.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WinRAR.v.3.2.and.key.exe JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\ICQ 4 Lite.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\index.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\Winamp 5.0 (en).ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\ICQ 4 Lite.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\Kazaa Lite.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\et-EE\Harry Potter.ShareReactor.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\279A9937-B4FC-4577-887A-4E7154A03AFE\root\vfs\Windows\assembly\GAC_MSIL\index.ShareReactor.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\index.ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\Updates\Download\index.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\Kazaa Lite.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Common Files\microsoft shared\ink\lt-LT\Harry Potter.ShareReactor.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\Harry Potter.exe JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\Winamp 5.0 (en) Crack.ShareReactor.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\Harry Potter.exe lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\index.exe lsass.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\index.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\WinRAR.v.3.2.and.key.ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\Kazaa Lite.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\nb-NO\WinRAR.v.3.2.and.key.ShareReactor.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\TextConv\en-US\index.ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\Harry Potter.exe lsass.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\Kazaa Lite.ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\Winamp 5.0 (en).ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\Harry Potter.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\Harry Potter.ShareReactor.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\Harry Potter.ShareReactor.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\WinRAR.v.3.2.and.key.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\Kazaa Lite.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\Winamp 5.0 (en) Crack.ShareReactor.com lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\WinRAR.v.3.2.and.key.exe lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\WinRAR.v.3.2.and.key.ShareReactor.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Windows Media Player\Network Sharing\Winamp 5.0 (en) Crack.ShareReactor.com lsass.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\Harry Potter.exe JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Common Files\microsoft shared\ink\es-MX\ICQ 4 Lite.exe lsass.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\Harry Potter.ShareReactor.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\Winamp 5.0 (en).exe JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\Winamp 5.0 (en) Crack.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\Winamp 5.0 (en) Crack.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\279A9937-B4FC-4577-887A-4E7154A03AFE\root\Winamp 5.0 (en) Crack.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\Winamp 5.0 (en) Crack.ShareReactor.com lsass.exe File created C:\Program Files\Common Files\microsoft shared\ink\el-GR\Winamp 5.0 (en) Crack.ShareReactor.com JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Winamp 5.0 (en) Crack.exe JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\Harry Potter.exe JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\lsass.exe lsass.exe File created C:\Windows\lsass.exe lsass.exe File opened for modification C:\Windows\lsass.exe JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe File created C:\Windows\lsass.exe JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3248 wrote to memory of 704 3248 cmd.exe 88 PID 3248 wrote to memory of 704 3248 cmd.exe 88 PID 3248 wrote to memory of 704 3248 cmd.exe 88 PID 1200 wrote to memory of 1100 1200 cmd.exe 91 PID 1200 wrote to memory of 1100 1200 cmd.exe 91 PID 1200 wrote to memory of 1100 1200 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b501c002871af9b1de8bc5dcd1657e76.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5304
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\lsass.exeC:\Windows\lsass.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\lsass.exeC:\Windows\lsass.exe2⤵
- Executes dropped EXE
PID:1100
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD510e57cdf1f3f56ad8129bd30865cf9d1
SHA198d48a679bd189d06b3599667a597f1455319f45
SHA256c3e021ddd2eac7b4eb393d3d1c7899e8560d38012a4aeca5b71ca8c6db631dc2
SHA5121893215e10617cd2c24dae70a40ebf362d7ab44cb6773909bea57b823cb0c2cc3e9ed71e198550ef2542191e0401c986deaff8940f4f4e223a3f95732e7ea26e
-
Filesize
50KB
MD5b501c002871af9b1de8bc5dcd1657e76
SHA1dd3371b024fea908b34ad7f336bd0750d7037753
SHA2560a4092c70c0057648704eb6413d90639316f75bd67c940e5b8bb194cedd12c68
SHA5128daef65a04fb73e9eb9b17d0f42ce7b890ad5f582f21fc68498d1cfa2874b3a2a212a4057f30e1f502e2282ad4be9e05f63472e36c93e42dba3d2c15e7a3cd82