qakbot | e736cf964b998e582fd2c191a0c9865814b632a315435f80798dd2a239a5e5f5

General

Target

jphxaul.exe
Sample

191111-jzlt6rkwlj
SHA256

e736cf964b998e582fd2c191a0c9865814b632a315435f80798dd2a239a5e5f5

Score

N/A

Malware Config

Extracted

Family

qakbot

Botnet

spx22

Campaign

1571043018

C2

98.186.90.192:995

2.50.170.151:443

74.194.4.181:443

70.74.159.126:2222

75.70.218.193:443

96.59.11.86:443

168.245.228.71:443

173.22.120.11:2222

71.77.231.251:443

24.184.6.58:2222

108.5.32.66:443

64.19.74.29:995

68.83.59.107:443

104.3.91.20:995

100.4.185.8:443

96.20.238.2:2087

99.228.242.183:995

206.255.212.179:443

50.247.230.33:443

108.55.23.221:443

Signatures

Executes dropped EXE 4 IoCs

Processes:

vanqawu.exevanqawu.exevanqawu.exevanqawu.exe

pid process

1056 vanqawu.exe
1992 vanqawu.exe
1416 vanqawu.exe
1188 vanqawu.exe

pid	process
1056	vanqawu.exe
1992	vanqawu.exe
1416	vanqawu.exe
1188	vanqawu.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	pid	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Run\fourwrig = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Igniwjmeevrg\\vanqawu.exe\""	2028	explorer.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	pid	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0"	628	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2"	1768	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0"	1676	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2"	1976	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	1900	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"	1500	reg.exe

qakbot family
family qakbot
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

conhost.exe

pid process

1480 conhost.exe
Runs ping.exe 1 TTPs 1 IoCs
evasion spreading

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1136 PING.EXE

pid	process
1480	conhost.exe

pid	process
1136	PING.EXE

Uses Task Scheduler COM API 1 TTPs 12 IoCs

persistence

Query Registry

T1012

Processes:

schtasks.exe

description	ioc	pid	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	452	schtasks.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	452	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	452	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	452	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\	452	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\	452	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	452	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32	452	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\	452	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel	452	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	452	schtasks.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

jphxaul.exejphxaul.exevanqawu.exevanqawu.exeexplorer.exejphxaul.exevanqawu.exevanqawu.exe

pid process

604 jphxaul.exe
1336 jphxaul.exe
1056 vanqawu.exe
1992 vanqawu.exe
2028 explorer.exe
1012 jphxaul.exe
1416 vanqawu.exe
1188 vanqawu.exe

pid	process
604	jphxaul.exe
1336	jphxaul.exe
1056	vanqawu.exe
1992	vanqawu.exe
2028	explorer.exe
1012	jphxaul.exe
1416	vanqawu.exe
1188	vanqawu.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

jphxaul.exevanqawu.exetaskeng.exejphxaul.exevanqawu.exe

description	pid	process	target process
PID 604 wrote to memory of 1336	604	jphxaul.exe	jphxaul.exe
PID 604 wrote to memory of 1056	604	jphxaul.exe	vanqawu.exe
PID 1056 wrote to memory of 1992	1056	vanqawu.exe	vanqawu.exe
PID 604 wrote to memory of 1984	604	jphxaul.exe	schtasks.exe
PID 1056 wrote to memory of 2028	1056	vanqawu.exe	explorer.exe
PID 1876 wrote to memory of 1012	1876	taskeng.exe	jphxaul.exe
PID 1012 wrote to memory of 628	1012	jphxaul.exe	reg.exe
PID 1012 wrote to memory of 1768	1012	jphxaul.exe	reg.exe
PID 1012 wrote to memory of 1612	1012	jphxaul.exe	reg.exe
PID 1012 wrote to memory of 1108	1012	jphxaul.exe	reg.exe
PID 1012 wrote to memory of 1676	1012	jphxaul.exe	reg.exe
PID 1012 wrote to memory of 1976	1012	jphxaul.exe	reg.exe
PID 1012 wrote to memory of 1900	1012	jphxaul.exe	reg.exe
PID 1012 wrote to memory of 1500	1012	jphxaul.exe	reg.exe
PID 1012 wrote to memory of 272	1012	jphxaul.exe	reg.exe
PID 1012 wrote to memory of 1416	1012	jphxaul.exe	vanqawu.exe
PID 1416 wrote to memory of 1188	1416	vanqawu.exe	vanqawu.exe
PID 1012 wrote to memory of 676	1012	jphxaul.exe	cmd.exe
PID 1012 wrote to memory of 452	1012	jphxaul.exe	schtasks.exe

Loads dropped DLL 1 IoCs

Processes:

jphxaul.exe

pid process

604 jphxaul.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

vanqawu.exe

pid process

1056 vanqawu.exe

pid	process
604	jphxaul.exe

pid	process
1056	vanqawu.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Processes:

reg.exe

description	ioc	pid	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg = "0"	272	reg.exe

C:\Users\Admin\AppData\Local\Temp\jphxaul.exe
"C:\Users\Admin\AppData\Local\Temp\jphxaul.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:604

C:\Users\Admin\AppData\Local\Temp\jphxaul.exe
C:\Users\Admin\AppData\Local\Temp\jphxaul.exe /C
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1336

C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:1056

C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1992

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ybkwvyp /tr "\"C:\Users\Admin\AppData\Local\Temp\jphxaul.exe\" /I ybkwvyp" /SC ONCE /Z /ST 12:04 /ET 12:16
1⤵
PID:1984

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
PID:2028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-157650051713137425221453828682-563269393-1814647841-3748403121025691665-1290155868"
1⤵
PID:2044

C:\Windows\system32\taskeng.exe
taskeng.exe {1AE7CC52-16E2-435F-8AA8-A4B4DB0A0554} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Local\Temp\jphxaul.exe
C:\Users\Admin\AppData\Local\Temp\jphxaul.exe /I ybkwvyp
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
1⤵
- Windows security modification
PID:628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1892214418734038116676880603-2137211342-308514979182202094-461706840-1487895787"
1⤵
PID:612

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
1⤵
- Windows security modification
PID:1768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1846539307698988202-238783652153604435811161975561485628372-419960300-1081086740"
1⤵
PID:1140

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
1⤵
PID:1612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2126700597-602023511128598347849220666273907675-328767046396593165-326507657"
1⤵
PID:560

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
1⤵
PID:1108

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-606524404-181378488530644363952042838812760679151749668165-18039188781780139046"
1⤵
PID:1620

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
1⤵
- Windows security modification
PID:1676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "799598720-4585887122113176603-37574688818585980171283037461-1302307596-1461329481"
1⤵
PID:2036

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
1⤵
- Windows security modification
PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1983942131-374682485-46233501511305139828282098101893507780815200459-939955542"
1⤵
PID:544

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
1⤵
- Windows security modification
PID:1900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1791600109-7803021491146773662-1161290176-161497089574223498112537878141249239330"
1⤵
PID:1884

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
1⤵
- Windows security modification
PID:1500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1089751983-525903941-249769264-168215960-435520847157815833714707576351568596061"
1⤵
PID:1176

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg" /d "0"
1⤵
- Windows security bypass
PID:272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-360807716-11146400941947254962-1483829431233470080-1161846694-864639113-1948200342"
1⤵
PID:680

C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe /C
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\jphxaul.exe"
1⤵
PID:676

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /DELETE /F /TN ybkwvyp
1⤵
- Uses Task Scheduler COM API
PID:452

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1423582248-20683251921505893686-1893163185701489153-660625641-113038603712220540"
1⤵
PID:1324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "756413891761225442-19044948953447337471732737356755198706-428919612-1025494924"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1480

C:\Windows\system32\PING.EXE
ping.exe -n 6 127.0.0.1
1⤵
- Runs ping.exe
PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1060
T1089

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.dat

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Igniwjmeevrg\vanqawu.exe

Download Submit
memory/1056-5-0x0000000001FB0000-0x0000000002042000-memory.dmp

Filesize
584KB

Download
memory/1188-9-0x00000000024C0000-0x00000000024D1000-memory.dmp

Filesize
68KB

Download
memory/1336-0-0x0000000002430000-0x0000000002441000-memory.dmp

Filesize
68KB

Download
memory/1992-4-0x00000000024A0000-0x00000000024B1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads