Analysis
-
max time kernel
132s -
max time network
125s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-11-2020 14:41
Static task
static1
General
-
Target
kbjilz.exe
-
Size
1.0MB
-
MD5
a330db4586985e36ecb5b54f6732a030
-
SHA1
f63427e93339a020f1eb54c998758e0330f30271
-
SHA256
bc91eab98bfd4e2f78ff2e7e28a7d2d6ef9049cb99325063b41653c5e1a3534f
-
SHA512
a73fe60a52b1f519213b8a41a034290d647dc6280b216e0adae2e2cc59a20aa60baf06e2e1830a9a009c57cfc40d30bfc6896d3f5f418ba49de202d42f71d49e
Malware Config
Extracted
qakbot
notset
1604404534
Protocol: ftp- Host:
192.185.5.208 - Port:
21 - Username:
logger@dustinkeeling.com - Password:
NxdkxAp4dUsY
Protocol: ftp- Host:
162.241.218.118 - Port:
21 - Username:
logger@misterexterior.com - Password:
EcOV0DyGVgVN
Protocol: ftp- Host:
69.89.31.139 - Port:
21 - Username:
cpanel@vivekharris-architects.com - Password:
fcR7OvyLrMW6!
Protocol: ftp- Host:
169.207.67.14 - Port:
21 - Username:
cpanel@dovetailsolar.com - Password:
eQyicNLzzqPN
67.6.55.77:443
89.136.39.108:443
2.50.58.76:443
188.25.158.61:443
45.63.107.192:995
45.32.154.10:443
94.52.160.116:443
45.63.107.192:2222
45.63.107.192:443
72.204.242.138:465
84.117.176.32:443
95.77.223.148:443
47.146.39.147:443
41.225.13.128:8443
80.14.209.42:2222
190.220.8.10:995
66.76.105.194:443
105.101.69.242:443
89.33.87.107:443
75.136.40.155:443
78.97.3.6:443
108.46.145.30:443
68.134.181.98:443
85.121.42.12:995
75.87.161.32:995
68.174.15.223:443
149.28.99.97:995
199.247.16.80:443
45.32.155.12:443
149.28.99.97:2222
149.28.99.97:443
70.168.130.172:995
93.86.252.177:995
50.244.112.10:995
59.99.36.238:443
185.246.9.69:995
208.99.100.129:443
41.97.25.63:443
72.186.1.237:443
59.99.36.241:443
45.32.155.12:2222
96.30.198.161:443
140.82.27.132:443
45.32.165.134:443
45.63.104.123:443
207.246.70.216:443
97.118.38.31:993
134.228.24.29:443
188.25.24.21:2222
2.89.17.127:995
72.82.15.220:443
174.62.13.151:443
120.150.60.189:995
80.195.103.146:2222
142.129.227.86:443
89.137.221.232:443
98.26.50.62:995
74.129.26.119:443
146.199.132.233:2222
77.27.174.49:995
172.114.116.226:995
95.179.247.224:443
189.231.189.64:443
45.32.155.12:995
45.32.162.253:443
199.247.22.145:443
35.134.202.234:443
184.98.97.227:995
85.122.141.42:995
89.137.211.239:443
72.16.56.171:443
72.28.255.159:995
47.44.217.98:443
189.183.206.170:995
64.185.5.157:443
202.141.244.118:995
72.209.191.27:443
86.122.18.250:443
141.158.47.123:443
203.198.96.164:443
173.245.152.231:443
95.77.144.238:443
41.228.227.124:443
67.78.151.218:2222
84.232.238.30:443
188.27.32.167:443
173.3.17.223:995
201.215.96.174:0
69.11.247.242:443
87.65.204.240:995
207.246.75.201:443
217.162.149.212:443
45.77.193.83:443
80.240.26.178:443
98.16.204.189:995
173.90.33.182:2222
103.206.112.234:443
72.36.59.46:2222
190.220.8.10:443
86.98.89.245:2222
39.36.35.237:995
217.165.96.127:990
151.73.112.197:443
79.113.119.125:443
2.50.110.49:2078
72.66.47.70:443
93.113.177.152:443
103.238.231.35:443
78.97.207.104:443
156.213.227.208:443
71.163.223.253:443
108.31.15.10:995
184.21.136.237:443
184.179.14.130:22
81.133.234.36:2222
74.75.216.202:443
2.51.247.69:995
96.243.35.201:443
46.53.16.93:443
217.165.2.92:995
37.106.7.143:443
203.106.195.67:443
172.91.19.192:443
2.7.202.106:2222
78.96.199.79:443
184.55.32.182:443
24.205.42.241:443
103.76.160.110:443
188.121.219.88:2222
79.113.208.68:443
85.204.189.105:443
50.96.234.132:995
31.5.21.66:443
66.215.32.224:443
81.97.154.100:443
47.185.140.236:80
108.30.125.94:443
188.247.252.243:443
69.47.26.41:443
74.195.88.59:443
95.76.27.6:443
68.46.142.48:995
73.200.219.143:443
173.173.1.164:443
24.40.173.134:443
173.21.10.71:2222
73.225.67.0:443
45.47.65.191:443
75.106.52.142:443
75.182.220.196:2222
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
fesgrqpn.exefesgrqpn.exepid process 1248 fesgrqpn.exe 412 fesgrqpn.exe -
Loads dropped DLL 2 IoCs
Processes:
kbjilz.exepid process 1704 kbjilz.exe 1704 kbjilz.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
kbjilz.exekbjilz.exefesgrqpn.exefesgrqpn.exeexplorer.exekbjilz.exepid process 1704 kbjilz.exe 1240 kbjilz.exe 1240 kbjilz.exe 1248 fesgrqpn.exe 412 fesgrqpn.exe 412 fesgrqpn.exe 584 explorer.exe 584 explorer.exe 564 kbjilz.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
fesgrqpn.exepid process 1248 fesgrqpn.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
kbjilz.exefesgrqpn.exetaskeng.exedescription pid process target process PID 1704 wrote to memory of 1240 1704 kbjilz.exe kbjilz.exe PID 1704 wrote to memory of 1240 1704 kbjilz.exe kbjilz.exe PID 1704 wrote to memory of 1240 1704 kbjilz.exe kbjilz.exe PID 1704 wrote to memory of 1240 1704 kbjilz.exe kbjilz.exe PID 1704 wrote to memory of 1248 1704 kbjilz.exe fesgrqpn.exe PID 1704 wrote to memory of 1248 1704 kbjilz.exe fesgrqpn.exe PID 1704 wrote to memory of 1248 1704 kbjilz.exe fesgrqpn.exe PID 1704 wrote to memory of 1248 1704 kbjilz.exe fesgrqpn.exe PID 1704 wrote to memory of 1388 1704 kbjilz.exe schtasks.exe PID 1704 wrote to memory of 1388 1704 kbjilz.exe schtasks.exe PID 1704 wrote to memory of 1388 1704 kbjilz.exe schtasks.exe PID 1704 wrote to memory of 1388 1704 kbjilz.exe schtasks.exe PID 1248 wrote to memory of 412 1248 fesgrqpn.exe fesgrqpn.exe PID 1248 wrote to memory of 412 1248 fesgrqpn.exe fesgrqpn.exe PID 1248 wrote to memory of 412 1248 fesgrqpn.exe fesgrqpn.exe PID 1248 wrote to memory of 412 1248 fesgrqpn.exe fesgrqpn.exe PID 1248 wrote to memory of 584 1248 fesgrqpn.exe explorer.exe PID 1248 wrote to memory of 584 1248 fesgrqpn.exe explorer.exe PID 1248 wrote to memory of 584 1248 fesgrqpn.exe explorer.exe PID 1248 wrote to memory of 584 1248 fesgrqpn.exe explorer.exe PID 1248 wrote to memory of 584 1248 fesgrqpn.exe explorer.exe PID 1184 wrote to memory of 564 1184 taskeng.exe kbjilz.exe PID 1184 wrote to memory of 564 1184 taskeng.exe kbjilz.exe PID 1184 wrote to memory of 564 1184 taskeng.exe kbjilz.exe PID 1184 wrote to memory of 564 1184 taskeng.exe kbjilz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kbjilz.exe"C:\Users\Admin\AppData\Local\Temp\kbjilz.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kbjilz.exeC:\Users\Admin\AppData\Local\Temp\kbjilz.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Upvuyq\fesgrqpn.exeC:\Users\Admin\AppData\Roaming\Microsoft\Upvuyq\fesgrqpn.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Upvuyq\fesgrqpn.exeC:\Users\Admin\AppData\Roaming\Microsoft\Upvuyq\fesgrqpn.exe /C3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ssifppqik /tr "\"C:\Users\Admin\AppData\Local\Temp\kbjilz.exe\" /I ssifppqik" /SC ONCE /Z /ST 14:40 /ET 14:522⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {0E957DEC-4EC3-4A58-88A0-C52B8AF5C348} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kbjilz.exeC:\Users\Admin\AppData\Local\Temp\kbjilz.exe /I ssifppqik2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Upvuyq\fesgrqpn.datMD5
89ff9881e4280095066f703175505dd4
SHA19b1452a9884c5fb7b18a3c773407a28514d565b4
SHA2565a3fbdeb6c9d9024144ef625ad775d5f6e8f6e0d3770ba3e4f591ed43c797756
SHA512247fb5883a11dac312b99b7777d167bb7883f9ee86e19d6c15ea6148870ee3e029bbeed8a2d3cfd1d675f58afd01f99ce32eeab67533145d59d15972b2d7a3d9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Upvuyq\fesgrqpn.exeMD5
a330db4586985e36ecb5b54f6732a030
SHA1f63427e93339a020f1eb54c998758e0330f30271
SHA256bc91eab98bfd4e2f78ff2e7e28a7d2d6ef9049cb99325063b41653c5e1a3534f
SHA512a73fe60a52b1f519213b8a41a034290d647dc6280b216e0adae2e2cc59a20aa60baf06e2e1830a9a009c57cfc40d30bfc6896d3f5f418ba49de202d42f71d49e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Upvuyq\fesgrqpn.exeMD5
a330db4586985e36ecb5b54f6732a030
SHA1f63427e93339a020f1eb54c998758e0330f30271
SHA256bc91eab98bfd4e2f78ff2e7e28a7d2d6ef9049cb99325063b41653c5e1a3534f
SHA512a73fe60a52b1f519213b8a41a034290d647dc6280b216e0adae2e2cc59a20aa60baf06e2e1830a9a009c57cfc40d30bfc6896d3f5f418ba49de202d42f71d49e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Upvuyq\fesgrqpn.exeMD5
a330db4586985e36ecb5b54f6732a030
SHA1f63427e93339a020f1eb54c998758e0330f30271
SHA256bc91eab98bfd4e2f78ff2e7e28a7d2d6ef9049cb99325063b41653c5e1a3534f
SHA512a73fe60a52b1f519213b8a41a034290d647dc6280b216e0adae2e2cc59a20aa60baf06e2e1830a9a009c57cfc40d30bfc6896d3f5f418ba49de202d42f71d49e
-
\Users\Admin\AppData\Roaming\Microsoft\Upvuyq\fesgrqpn.exeMD5
a330db4586985e36ecb5b54f6732a030
SHA1f63427e93339a020f1eb54c998758e0330f30271
SHA256bc91eab98bfd4e2f78ff2e7e28a7d2d6ef9049cb99325063b41653c5e1a3534f
SHA512a73fe60a52b1f519213b8a41a034290d647dc6280b216e0adae2e2cc59a20aa60baf06e2e1830a9a009c57cfc40d30bfc6896d3f5f418ba49de202d42f71d49e
-
\Users\Admin\AppData\Roaming\Microsoft\Upvuyq\fesgrqpn.exeMD5
a330db4586985e36ecb5b54f6732a030
SHA1f63427e93339a020f1eb54c998758e0330f30271
SHA256bc91eab98bfd4e2f78ff2e7e28a7d2d6ef9049cb99325063b41653c5e1a3534f
SHA512a73fe60a52b1f519213b8a41a034290d647dc6280b216e0adae2e2cc59a20aa60baf06e2e1830a9a009c57cfc40d30bfc6896d3f5f418ba49de202d42f71d49e
-
memory/412-8-0x0000000000000000-mapping.dmp
-
memory/412-10-0x00000000025D0000-0x00000000025E1000-memory.dmpFilesize
68KB
-
memory/564-14-0x0000000000000000-mapping.dmp
-
memory/584-12-0x0000000000000000-mapping.dmp
-
memory/1240-1-0x0000000002680000-0x0000000002691000-memory.dmpFilesize
68KB
-
memory/1240-0-0x0000000000000000-mapping.dmp
-
memory/1248-4-0x0000000000000000-mapping.dmp
-
memory/1248-11-0x0000000000340000-0x000000000037A000-memory.dmpFilesize
232KB
-
memory/1388-6-0x0000000000000000-mapping.dmp