Analysis

  • max time kernel
    157s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06-04-2024 05:04

General

  • Target

    dbf66cf845c6af2445cb611215c84282_JaffaCakes118.dll

  • Size

    905KB

  • MD5

    dbf66cf845c6af2445cb611215c84282

  • SHA1

    ae1c4b5d117e57bf8d541edab0e0bd100db07ea1

  • SHA256

    7cd8216e129493641bbe7f573b13425bcf52923bad83ee532abd66fed293d9fc

  • SHA512

    300c569c6221b7d24ecee114d9cee1a7f9f6873de2ba21cf41f115f2e456a81b7348b584c1d5c442b5bfa3624538f16e3f9e7f756158a302f12187f657c984b7

  • SSDEEP

    12288:dU7AzcO18OcZtc98uEE8aPfR6xa7jg0Ii3pSGdSJbbIclZg5i0WBRLuMdgX2rbnj:GAzcO1T0yfR6lxcYIYZDqM9n7Bn

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama116

Campaign

1634289383

C2

41.228.22.180:443

188.55.249.239:995

120.150.218.241:995

37.117.191.19:2222

68.204.7.158:443

81.241.252.59:2078

196.207.140.40:995

174.54.193.186:443

63.143.92.99:995

197.89.144.200:443

86.220.112.26:2222

73.52.50.32:443

103.82.211.39:465

146.66.238.74:443

167.248.117.81:443

2.222.167.138:443

181.118.183.94:443

103.82.211.39:995

78.179.137.102:995

89.137.52.44:443

Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Windows security bypass 2 TTPs 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dbf66cf845c6af2445cb611215c84282_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\dbf66cf845c6af2445cb611215c84282_JaffaCakes118.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn etqbjtff /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\dbf66cf845c6af2445cb611215c84282_JaffaCakes118.dll\"" /SC ONCE /Z /ST 05:07 /ET 05:19
          4⤵
          • Creates scheduled task(s)
          PID:2552
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {4781009D-53F9-4985-8066-68A8BA763FAB} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\dbf66cf845c6af2445cb611215c84282_JaffaCakes118.dll"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:484
      • C:\Windows\SysWOW64\regsvr32.exe
        -s "C:\Users\Admin\AppData\Local\Temp\dbf66cf845c6af2445cb611215c84282_JaffaCakes118.dll"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:580
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:1180
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Afmykhuiq" /d "0"
            5⤵
            • Windows security bypass
            PID:2272
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Iflhqc" /d "0"
            5⤵
            • Windows security bypass
            PID:1116

Network

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

1
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\dbf66cf845c6af2445cb611215c84282_JaffaCakes118.dll
    Filesize

    905KB

    MD5

    dbf66cf845c6af2445cb611215c84282

    SHA1

    ae1c4b5d117e57bf8d541edab0e0bd100db07ea1

    SHA256

    7cd8216e129493641bbe7f573b13425bcf52923bad83ee532abd66fed293d9fc

    SHA512

    300c569c6221b7d24ecee114d9cee1a7f9f6873de2ba21cf41f115f2e456a81b7348b584c1d5c442b5bfa3624538f16e3f9e7f756158a302f12187f657c984b7

  • \??\PIPE\wkssvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • memory/580-27-0x0000000074390000-0x0000000074515000-memory.dmp
    Filesize

    1.5MB

  • memory/580-21-0x0000000074390000-0x0000000074515000-memory.dmp
    Filesize

    1.5MB

  • memory/580-22-0x0000000074390000-0x0000000074515000-memory.dmp
    Filesize

    1.5MB

  • memory/580-20-0x0000000074390000-0x0000000074515000-memory.dmp
    Filesize

    1.5MB

  • memory/1180-33-0x0000000000080000-0x00000000000A1000-memory.dmp
    Filesize

    132KB

  • memory/1180-31-0x0000000000080000-0x00000000000A1000-memory.dmp
    Filesize

    132KB

  • memory/1180-30-0x0000000000080000-0x00000000000A1000-memory.dmp
    Filesize

    132KB

  • memory/1180-29-0x0000000000080000-0x00000000000A1000-memory.dmp
    Filesize

    132KB

  • memory/1180-26-0x0000000000080000-0x00000000000A1000-memory.dmp
    Filesize

    132KB

  • memory/2548-7-0x0000000000080000-0x00000000000A1000-memory.dmp
    Filesize

    132KB

  • memory/2548-15-0x0000000000080000-0x00000000000A1000-memory.dmp
    Filesize

    132KB

  • memory/2548-14-0x0000000000080000-0x00000000000A1000-memory.dmp
    Filesize

    132KB

  • memory/2548-13-0x0000000000080000-0x00000000000A1000-memory.dmp
    Filesize

    132KB

  • memory/2548-12-0x0000000000080000-0x00000000000A1000-memory.dmp
    Filesize

    132KB

  • memory/2548-11-0x0000000000080000-0x00000000000A1000-memory.dmp
    Filesize

    132KB

  • memory/2548-5-0x00000000000B0000-0x00000000000B2000-memory.dmp
    Filesize

    8KB

  • memory/2560-8-0x0000000074B40000-0x0000000074CC5000-memory.dmp
    Filesize

    1.5MB

  • memory/2560-0-0x0000000074B40000-0x0000000074CC5000-memory.dmp
    Filesize

    1.5MB

  • memory/2560-1-0x0000000074B40000-0x0000000074CC5000-memory.dmp
    Filesize

    1.5MB

  • memory/2560-4-0x0000000000130000-0x0000000000131000-memory.dmp
    Filesize

    4KB

  • memory/2560-2-0x0000000074B40000-0x0000000074CC5000-memory.dmp
    Filesize

    1.5MB