Analysis
-
max time kernel
149s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-11-2020 14:40
Static task
static1
General
-
Target
hjfoze.exe
-
Size
1.0MB
-
MD5
6284a3b53e3c607d7718cc3de373fdee
-
SHA1
86442c4e5665fb66e5d0dc1c7277dd32b02883dd
-
SHA256
c2b98c07655ecdeede7c0d1076743727c8e79d3be267cd630e32ab8a4dc73e85
-
SHA512
1e8545ea734e58b4029e944de45326741843d5259bab2b917899110a93874a02158778bdf0ab1c1bf04fa1799cf346753a2478cbe5ab238d7878312c37f0b60e
Malware Config
Extracted
qakbot
notset
1604404534
Protocol: ftp- Host:
192.185.5.208 - Port:
21 - Username:
logger@dustinkeeling.com - Password:
NxdkxAp4dUsY
Protocol: ftp- Host:
162.241.218.118 - Port:
21 - Username:
logger@misterexterior.com - Password:
EcOV0DyGVgVN
Protocol: ftp- Host:
69.89.31.139 - Port:
21 - Username:
cpanel@vivekharris-architects.com - Password:
fcR7OvyLrMW6!
Protocol: ftp- Host:
169.207.67.14 - Port:
21 - Username:
cpanel@dovetailsolar.com - Password:
eQyicNLzzqPN
67.6.55.77:443
89.136.39.108:443
2.50.58.76:443
188.25.158.61:443
45.63.107.192:995
45.32.154.10:443
94.52.160.116:443
45.63.107.192:2222
45.63.107.192:443
72.204.242.138:465
84.117.176.32:443
95.77.223.148:443
47.146.39.147:443
41.225.13.128:8443
80.14.209.42:2222
190.220.8.10:995
66.76.105.194:443
105.101.69.242:443
89.33.87.107:443
75.136.40.155:443
78.97.3.6:443
108.46.145.30:443
68.134.181.98:443
85.121.42.12:995
75.87.161.32:995
68.174.15.223:443
149.28.99.97:995
199.247.16.80:443
45.32.155.12:443
149.28.99.97:2222
149.28.99.97:443
70.168.130.172:995
93.86.252.177:995
50.244.112.10:995
59.99.36.238:443
185.246.9.69:995
208.99.100.129:443
41.97.25.63:443
72.186.1.237:443
59.99.36.241:443
45.32.155.12:2222
96.30.198.161:443
140.82.27.132:443
45.32.165.134:443
45.63.104.123:443
207.246.70.216:443
97.118.38.31:993
134.228.24.29:443
188.25.24.21:2222
2.89.17.127:995
72.82.15.220:443
174.62.13.151:443
120.150.60.189:995
80.195.103.146:2222
142.129.227.86:443
89.137.221.232:443
98.26.50.62:995
74.129.26.119:443
146.199.132.233:2222
77.27.174.49:995
172.114.116.226:995
95.179.247.224:443
189.231.189.64:443
45.32.155.12:995
45.32.162.253:443
199.247.22.145:443
35.134.202.234:443
184.98.97.227:995
85.122.141.42:995
89.137.211.239:443
72.16.56.171:443
72.28.255.159:995
47.44.217.98:443
189.183.206.170:995
64.185.5.157:443
202.141.244.118:995
72.209.191.27:443
86.122.18.250:443
141.158.47.123:443
203.198.96.164:443
173.245.152.231:443
95.77.144.238:443
41.228.227.124:443
67.78.151.218:2222
84.232.238.30:443
188.27.32.167:443
173.3.17.223:995
201.215.96.174:0
69.11.247.242:443
87.65.204.240:995
207.246.75.201:443
217.162.149.212:443
45.77.193.83:443
80.240.26.178:443
98.16.204.189:995
173.90.33.182:2222
103.206.112.234:443
72.36.59.46:2222
190.220.8.10:443
86.98.89.245:2222
39.36.35.237:995
217.165.96.127:990
151.73.112.197:443
79.113.119.125:443
2.50.110.49:2078
72.66.47.70:443
93.113.177.152:443
103.238.231.35:443
78.97.207.104:443
156.213.227.208:443
71.163.223.253:443
108.31.15.10:995
184.21.136.237:443
184.179.14.130:22
81.133.234.36:2222
74.75.216.202:443
2.51.247.69:995
96.243.35.201:443
46.53.16.93:443
217.165.2.92:995
37.106.7.143:443
203.106.195.67:443
172.91.19.192:443
2.7.202.106:2222
78.96.199.79:443
184.55.32.182:443
24.205.42.241:443
103.76.160.110:443
188.121.219.88:2222
79.113.208.68:443
85.204.189.105:443
50.96.234.132:995
31.5.21.66:443
66.215.32.224:443
81.97.154.100:443
47.185.140.236:80
108.30.125.94:443
188.247.252.243:443
69.47.26.41:443
74.195.88.59:443
95.76.27.6:443
68.46.142.48:995
73.200.219.143:443
173.173.1.164:443
24.40.173.134:443
173.21.10.71:2222
73.225.67.0:443
45.47.65.191:443
75.106.52.142:443
75.182.220.196:2222
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
dwadxe.exedwadxe.exepid process 1432 dwadxe.exe 1064 dwadxe.exe -
Loads dropped DLL 2 IoCs
Processes:
hjfoze.exepid process 1688 hjfoze.exe 1688 hjfoze.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
hjfoze.exehjfoze.exedwadxe.exedwadxe.exeexplorer.exehjfoze.exepid process 1688 hjfoze.exe 832 hjfoze.exe 832 hjfoze.exe 1432 dwadxe.exe 1064 dwadxe.exe 1064 dwadxe.exe 1124 explorer.exe 1124 explorer.exe 1548 hjfoze.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
dwadxe.exepid process 1432 dwadxe.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
hjfoze.exedwadxe.exetaskeng.exedescription pid process target process PID 1688 wrote to memory of 832 1688 hjfoze.exe hjfoze.exe PID 1688 wrote to memory of 832 1688 hjfoze.exe hjfoze.exe PID 1688 wrote to memory of 832 1688 hjfoze.exe hjfoze.exe PID 1688 wrote to memory of 832 1688 hjfoze.exe hjfoze.exe PID 1688 wrote to memory of 1432 1688 hjfoze.exe dwadxe.exe PID 1688 wrote to memory of 1432 1688 hjfoze.exe dwadxe.exe PID 1688 wrote to memory of 1432 1688 hjfoze.exe dwadxe.exe PID 1688 wrote to memory of 1432 1688 hjfoze.exe dwadxe.exe PID 1688 wrote to memory of 1700 1688 hjfoze.exe schtasks.exe PID 1688 wrote to memory of 1700 1688 hjfoze.exe schtasks.exe PID 1688 wrote to memory of 1700 1688 hjfoze.exe schtasks.exe PID 1688 wrote to memory of 1700 1688 hjfoze.exe schtasks.exe PID 1432 wrote to memory of 1064 1432 dwadxe.exe dwadxe.exe PID 1432 wrote to memory of 1064 1432 dwadxe.exe dwadxe.exe PID 1432 wrote to memory of 1064 1432 dwadxe.exe dwadxe.exe PID 1432 wrote to memory of 1064 1432 dwadxe.exe dwadxe.exe PID 1432 wrote to memory of 1124 1432 dwadxe.exe explorer.exe PID 1432 wrote to memory of 1124 1432 dwadxe.exe explorer.exe PID 1432 wrote to memory of 1124 1432 dwadxe.exe explorer.exe PID 1432 wrote to memory of 1124 1432 dwadxe.exe explorer.exe PID 1432 wrote to memory of 1124 1432 dwadxe.exe explorer.exe PID 576 wrote to memory of 1548 576 taskeng.exe hjfoze.exe PID 576 wrote to memory of 1548 576 taskeng.exe hjfoze.exe PID 576 wrote to memory of 1548 576 taskeng.exe hjfoze.exe PID 576 wrote to memory of 1548 576 taskeng.exe hjfoze.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hjfoze.exe"C:\Users\Admin\AppData\Local\Temp\hjfoze.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hjfoze.exeC:\Users\Admin\AppData\Local\Temp\hjfoze.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Taisiiunsaba\dwadxe.exeC:\Users\Admin\AppData\Roaming\Microsoft\Taisiiunsaba\dwadxe.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Taisiiunsaba\dwadxe.exeC:\Users\Admin\AppData\Roaming\Microsoft\Taisiiunsaba\dwadxe.exe /C3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn jimufju /tr "\"C:\Users\Admin\AppData\Local\Temp\hjfoze.exe\" /I jimufju" /SC ONCE /Z /ST 15:39 /ET 15:512⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {17024778-9A5A-46B9-82DF-DFACE9499F05} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hjfoze.exeC:\Users\Admin\AppData\Local\Temp\hjfoze.exe /I jimufju2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Taisiiunsaba\dwadxe.datMD5
ecc39332aa387982ac84711872d14a18
SHA155069dca17e2e93a8f1fed177e62e634a6cdbba5
SHA256a2a3f3c5a30bec4517a62cb827bbee808fa1ad2d9492d79f981eeaa76b90bb73
SHA512af9bb89fa635696a67023ce96169bf22996eed9c530594c3e548fa36c6870083ec120ab5c18b9f7106596c0c2b84645eaecf070b2f577ba44914ee8ee0c0d464
-
C:\Users\Admin\AppData\Roaming\Microsoft\Taisiiunsaba\dwadxe.exeMD5
6284a3b53e3c607d7718cc3de373fdee
SHA186442c4e5665fb66e5d0dc1c7277dd32b02883dd
SHA256c2b98c07655ecdeede7c0d1076743727c8e79d3be267cd630e32ab8a4dc73e85
SHA5121e8545ea734e58b4029e944de45326741843d5259bab2b917899110a93874a02158778bdf0ab1c1bf04fa1799cf346753a2478cbe5ab238d7878312c37f0b60e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Taisiiunsaba\dwadxe.exeMD5
6284a3b53e3c607d7718cc3de373fdee
SHA186442c4e5665fb66e5d0dc1c7277dd32b02883dd
SHA256c2b98c07655ecdeede7c0d1076743727c8e79d3be267cd630e32ab8a4dc73e85
SHA5121e8545ea734e58b4029e944de45326741843d5259bab2b917899110a93874a02158778bdf0ab1c1bf04fa1799cf346753a2478cbe5ab238d7878312c37f0b60e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Taisiiunsaba\dwadxe.exeMD5
6284a3b53e3c607d7718cc3de373fdee
SHA186442c4e5665fb66e5d0dc1c7277dd32b02883dd
SHA256c2b98c07655ecdeede7c0d1076743727c8e79d3be267cd630e32ab8a4dc73e85
SHA5121e8545ea734e58b4029e944de45326741843d5259bab2b917899110a93874a02158778bdf0ab1c1bf04fa1799cf346753a2478cbe5ab238d7878312c37f0b60e
-
\Users\Admin\AppData\Roaming\Microsoft\Taisiiunsaba\dwadxe.exeMD5
6284a3b53e3c607d7718cc3de373fdee
SHA186442c4e5665fb66e5d0dc1c7277dd32b02883dd
SHA256c2b98c07655ecdeede7c0d1076743727c8e79d3be267cd630e32ab8a4dc73e85
SHA5121e8545ea734e58b4029e944de45326741843d5259bab2b917899110a93874a02158778bdf0ab1c1bf04fa1799cf346753a2478cbe5ab238d7878312c37f0b60e
-
\Users\Admin\AppData\Roaming\Microsoft\Taisiiunsaba\dwadxe.exeMD5
6284a3b53e3c607d7718cc3de373fdee
SHA186442c4e5665fb66e5d0dc1c7277dd32b02883dd
SHA256c2b98c07655ecdeede7c0d1076743727c8e79d3be267cd630e32ab8a4dc73e85
SHA5121e8545ea734e58b4029e944de45326741843d5259bab2b917899110a93874a02158778bdf0ab1c1bf04fa1799cf346753a2478cbe5ab238d7878312c37f0b60e
-
memory/832-0-0x0000000000000000-mapping.dmp
-
memory/832-1-0x0000000002510000-0x0000000002521000-memory.dmpFilesize
68KB
-
memory/1064-8-0x0000000000000000-mapping.dmp
-
memory/1064-10-0x0000000002500000-0x0000000002511000-memory.dmpFilesize
68KB
-
memory/1124-12-0x0000000000000000-mapping.dmp
-
memory/1432-4-0x0000000000000000-mapping.dmp
-
memory/1432-11-0x00000000024E0000-0x000000000251A000-memory.dmpFilesize
232KB
-
memory/1548-14-0x0000000000000000-mapping.dmp
-
memory/1700-6-0x0000000000000000-mapping.dmp