mylobot | 98933c4dfb0ffa2b7ba283759dd4bcbb87d477250c7a0f8fbfcb5853f2a199cb

General

Target

JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe
Size

351KB
MD5

6f742ded41e3a5cad4cbe74128e833f7
SHA1

b4ad7977450f002093be5274a26c5c7d7d82aef0
SHA256

98933c4dfb0ffa2b7ba283759dd4bcbb87d477250c7a0f8fbfcb5853f2a199cb
SHA512

780aeb499b5dab64930383c80894ebc0b7b3ca1aa0283ceba50fb095dd2dbdda9d573cbc1cb1697785be45d344abc0a689f37c7ee212690bb1a178f5aab8f81d
SSDEEP

6144:1BLtiT5nAO7OaW6Oqkh0QS/ec2P1NsZNefdddtFlYkl5d9hrg5iM8XRtu9gr9Yyh:VitnhOaW6OqU0QS/ecy1NsZNefdddtFB

Score

10^/10

mylobot botnet discovery persistence

Malware Config

Extracted

Family

mylobot

C2

op17.ru:6006

eakalra.ru:1281

zgclgdb.ru:8518

hpifnad.ru:3721

lbjcwix.ru:8326

rykacfb.ru:8483

benkofx.ru:3333

fpzskbc.ru:9364

ouxtjzd.ru:8658

schwpxp.ru:2956

pspkgya.ru:2675

lmlwtdm.ru:2768

rzwnsph.ru:5898

awtiwzk.ru:9816

pzljenb.ru:3486

yhjtpyf.ru:3565

ogkbsoq.ru:2553

rjngcbj.ru:5655

jlfeopz.ru:4698

wqcruiz.ru:2165

Signatures

Mylobot
Botnet which first appeared in 2017 written in C++.
botnet mylobot
Mylobot family
mylobot

Deletes itself 1 IoCs

pid	Process
2708	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\{2DCA3AA8-E18C-F59C-3FFF-07557663B631} = "c:\\programdata\\{B1DA1298-C9BC-698C-3FFF-07557663B631}\\1c65c207.exe"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2248 set thread context of 2420	2248	JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe	30

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\CLSID\{EBFF3565-EE41-33A9-3FFF-07557663B631}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\CLSID\{B1DA129B-C9BF-698C-3FFF-07557663B631}	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\CLSID\{B1DA129B-C9BF-698C-3FFF-07557663B631}\ = "1735936709"	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2420	JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe
2420	JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe
2708	svchost.exe
2708	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2420	JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2420	2248	JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe	30
PID 2248 wrote to memory of 2420	2248	JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe	30
PID 2248 wrote to memory of 2420	2248	JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe	30
PID 2248 wrote to memory of 2420	2248	JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe	30
PID 2248 wrote to memory of 2420	2248	JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe	30
PID 2248 wrote to memory of 2420	2248	JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe	30
PID 2248 wrote to memory of 2420	2248	JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe	30
PID 2248 wrote to memory of 2420	2248	JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe	30
PID 2248 wrote to memory of 2420	2248	JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe	30
PID 2248 wrote to memory of 2420	2248	JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe	30
PID 2420 wrote to memory of 2708	2420	JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe	31
PID 2420 wrote to memory of 2708	2420	JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe	31
PID 2420 wrote to memory of 2708	2420	JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe	31
PID 2420 wrote to memory of 2708	2420	JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe	31
PID 2420 wrote to memory of 2708	2420	JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe	31
PID 2708 wrote to memory of 2248	2708	svchost.exe	29
PID 2708 wrote to memory of 2248	2708	svchost.exe	29
PID 2708 wrote to memory of 2752	2708	svchost.exe	32
PID 2708 wrote to memory of 2752	2708	svchost.exe	32
PID 2708 wrote to memory of 2752	2708	svchost.exe	32
PID 2708 wrote to memory of 2752	2708	svchost.exe	32
PID 2708 wrote to memory of 2752	2708	svchost.exe	32
PID 2708 wrote to memory of 2752	2708	svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f742ded41e3a5cad4cbe74128e833f7.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Deletes itself
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{B1DA1298-C9BC-698C-3FFF-07557663B631}\1c65c207.exe

Filesize
351KB

MD5
6f742ded41e3a5cad4cbe74128e833f7

SHA1
b4ad7977450f002093be5274a26c5c7d7d82aef0

SHA256
98933c4dfb0ffa2b7ba283759dd4bcbb87d477250c7a0f8fbfcb5853f2a199cb

SHA512
780aeb499b5dab64930383c80894ebc0b7b3ca1aa0283ceba50fb095dd2dbdda9d573cbc1cb1697785be45d344abc0a689f37c7ee212690bb1a178f5aab8f81d

Download Submit
memory/2248-0-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2248-25-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2248-27-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2420-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2420-30-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2420-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2420-3-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2420-15-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2420-16-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2420-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2420-13-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2420-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2420-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2708-28-0x0000000000170000-0x000000000019B000-memory.dmp

Filesize
172KB

Download
memory/2708-23-0x0000000000170000-0x000000000019B000-memory.dmp

Filesize
172KB

Download
memory/2708-18-0x0000000000170000-0x000000000019B000-memory.dmp

Filesize
172KB

Download
memory/2708-22-0x0000000000170000-0x000000000019B000-memory.dmp

Filesize
172KB

Download
memory/2708-21-0x0000000000170000-0x000000000019B000-memory.dmp

Filesize
172KB

Download
memory/2708-20-0x0000000000170000-0x000000000019B000-memory.dmp

Filesize
172KB

Download
memory/2708-36-0x0000000000170000-0x000000000019B000-memory.dmp

Filesize
172KB

Download
memory/2708-17-0x0000000000110000-0x0000000000168000-memory.dmp

Filesize
352KB

Download
memory/2752-35-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.