mylobot | 1277d25e1c2edaaf19d89afa71c64057425c3f13914bc4d1474d7d6d76cc0628

General

Target

f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe
Size

340KB
MD5

f5cc1d9481b083729a87c262304250ac
SHA1

9c964dc6f614e4b2d995660da2e98682ca7b4912
SHA256

1277d25e1c2edaaf19d89afa71c64057425c3f13914bc4d1474d7d6d76cc0628
SHA512

c860ef508080bcdb296a9b9d697007fb44a86ada11276c83eb2a362b6a3d7ddbc89acbdb5ffd09af1b77ba6f4dfafe46c648f8dcd6e5607aa8d1d5e1e00edf74
SSDEEP

6144:hjz5EwxAQ5nAOpngFnhOCZUBD94JNemDJKk5nkgesTd:hJEwxAOn7grOeZJNemDJKk5nkaTd

Score

10^/10

mylobot botnet discovery persistence

Malware Config

Extracted

Family

mylobot

C2

op17.ru:6006

eakalra.ru:1281

zgclgdb.ru:8518

hpifnad.ru:3721

lbjcwix.ru:8326

rykacfb.ru:8483

benkofx.ru:3333

fpzskbc.ru:9364

ouxtjzd.ru:8658

schwpxp.ru:2956

pspkgya.ru:2675

lmlwtdm.ru:2768

rzwnsph.ru:5898

awtiwzk.ru:9816

pzljenb.ru:3486

yhjtpyf.ru:3565

ogkbsoq.ru:2553

rjngcbj.ru:5655

jlfeopz.ru:4698

wqcruiz.ru:2165

Signatures

Mylobot
Botnet which first appeared in 2017 written in C++.
botnet mylobot

Deletes itself 1 IoCs

pid	Process
2452	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6FFD46A7-5817-7727-21AC-9EDD1615F8A5} = "c:\\programdata\\{F3ED6E97-7027-EB37-21AC-9EDD1615F8A5}\\5e52be08.exe"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1700 set thread context of 1908	1700	f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe	30

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\CLSID\{A9C8496A-57DA-B112-21AC-9EDD1615F8A5}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\CLSID\{F3ED6E94-7024-EB37-21AC-9EDD1615F8A5}	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\CLSID\{F3ED6E94-7024-EB37-21AC-9EDD1615F8A5}\ = "1727259833"	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1908	f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe
1908	f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe
2452	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1908	f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1908	1700	f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe	30
PID 1700 wrote to memory of 1908	1700	f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe	30
PID 1700 wrote to memory of 1908	1700	f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe	30
PID 1700 wrote to memory of 1908	1700	f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe	30
PID 1700 wrote to memory of 1908	1700	f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe	30
PID 1700 wrote to memory of 1908	1700	f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe	30
PID 1700 wrote to memory of 1908	1700	f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe	30
PID 1700 wrote to memory of 1908	1700	f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe	30
PID 1700 wrote to memory of 1908	1700	f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe	30
PID 1700 wrote to memory of 1908	1700	f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2452	1908	f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2452	1908	f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2452	1908	f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2452	1908	f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2452	1908	f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe	31
PID 2452 wrote to memory of 1908	2452	svchost.exe	30
PID 2452 wrote to memory of 1908	2452	svchost.exe	30
PID 2452 wrote to memory of 2804	2452	svchost.exe	32
PID 2452 wrote to memory of 2804	2452	svchost.exe	32
PID 2452 wrote to memory of 2804	2452	svchost.exe	32
PID 2452 wrote to memory of 2804	2452	svchost.exe	32
PID 2452 wrote to memory of 2804	2452	svchost.exe	32
PID 2452 wrote to memory of 2804	2452	svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f5cc1d9481b083729a87c262304250ac_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Deletes itself
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{F3ED6E97-7027-EB37-21AC-9EDD1615F8A5}\5e52be08.exe

Filesize
340KB

MD5
f5cc1d9481b083729a87c262304250ac

SHA1
9c964dc6f614e4b2d995660da2e98682ca7b4912

SHA256
1277d25e1c2edaaf19d89afa71c64057425c3f13914bc4d1474d7d6d76cc0628

SHA512
c860ef508080bcdb296a9b9d697007fb44a86ada11276c83eb2a362b6a3d7ddbc89acbdb5ffd09af1b77ba6f4dfafe46c648f8dcd6e5607aa8d1d5e1e00edf74

Download Submit
memory/1700-0-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1908-25-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1908-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1908-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1908-3-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1908-15-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1908-16-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1908-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1908-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1908-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1908-29-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1908-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2452-20-0x00000000000E0000-0x000000000010B000-memory.dmp

Filesize
172KB

Download
memory/2452-19-0x00000000000E0000-0x000000000010B000-memory.dmp

Filesize
172KB

Download
memory/2452-21-0x00000000000E0000-0x000000000010B000-memory.dmp

Filesize
172KB

Download
memory/2452-23-0x00000000000E0000-0x000000000010B000-memory.dmp

Filesize
172KB

Download
memory/2452-22-0x00000000000E0000-0x000000000010B000-memory.dmp

Filesize
172KB

Download
memory/2452-18-0x00000000000E0000-0x000000000010B000-memory.dmp

Filesize
172KB

Download
memory/2452-35-0x00000000000E0000-0x000000000010B000-memory.dmp

Filesize
172KB

Download
memory/2452-17-0x0000000000080000-0x00000000000D5000-memory.dmp

Filesize
340KB

Download
memory/2804-34-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads