qakbot | 7cd8216e129493641bbe7f573b13425bcf52923bad83ee532abd66fed293d9fc

General

Target

dbf66cf845c6af2445cb611215c84282_JaffaCakes118.dll
Size

905KB
MD5

dbf66cf845c6af2445cb611215c84282
SHA1

ae1c4b5d117e57bf8d541edab0e0bd100db07ea1
SHA256

7cd8216e129493641bbe7f573b13425bcf52923bad83ee532abd66fed293d9fc
SHA512

300c569c6221b7d24ecee114d9cee1a7f9f6873de2ba21cf41f115f2e456a81b7348b584c1d5c442b5bfa3624538f16e3f9e7f756158a302f12187f657c984b7
SSDEEP

12288:dU7AzcO18OcZtc98uEE8aPfR6xa7jg0Ii3pSGdSJbbIclZg5i0WBRLuMdgX2rbnj:GAzcO1T0yfR6lxcYIYZDqM9n7Bn

Score

10^/10

qakbot obama116 1634289383 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama116

Campaign

1634289383

C2

41.228.22.180:443

188.55.249.239:995

120.150.218.241:995

37.117.191.19:2222

68.204.7.158:443

81.241.252.59:2078

196.207.140.40:995

174.54.193.186:443

63.143.92.99:995

197.89.144.200:443

86.220.112.26:2222

73.52.50.32:443

103.82.211.39:465

146.66.238.74:443

167.248.117.81:443

2.222.167.138:443

181.118.183.94:443

103.82.211.39:995

78.179.137.102:995

89.137.52.44:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Afmykhuiq = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Iflhqc = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

580 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2552 schtasks.exe

pid	process
580	regsvr32.exe

pid	process
2552	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aejosvmsldxb\d1ad1585 = 05a898ff3bfa50f98d1d0de92ff20396c490ab4838dbb12f017fcd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aejosvmsldxb\23c7cd58 = 18777b2dbc067ad7e2ae70c17dcf73bd92efca9aadb9af0a2f490c5125edd71baf58aa1f9d8d22fe9da19990c163df348ed64a355f8bf89b0fa4c4ba9e9df9c829d1b848c89c50b2d5d3755578	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aejosvmsldxb\9b7baa3d = 15e26d7109a08ecad71e35a694049091098d188ca200093fb8c84cf1e9223176efbde14d8be8392ad1e897cc2f0a7f8df003e6fa8a00d441d6daf2263e5e429d4d6b4d8d91e94770b23f6e797f449aca49da3d2d2cc76491a13f4fb854a18c34107c28074fd2e65863da35a55cf2b5d90288	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Aejosvmsldxb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aejosvmsldxb\e673e5b7 = 42650339a0bb4d8660601cb911526efe5d83045632e061bbde6a0dc4b2bb5f71a4a44e29e7518c0a3c73c3dc6043ba90fbfa46387c6dfe550e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aejosvmsldxb\5ecf82d2 = 0bb945ba45fed81c41007069324c65402a496a21bdcf43dd01e45b0616f62d02473657a3fe8f9c055a280a9d7e21ab16d44753c3879b501622daa156b19ff3004c4c5a97f5697d05665799063d4a403295ab46	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aejosvmsldxb\5c8ea2ae = fae58724db3aae1a3747c912e463a7ce9e4222aa350ff4a8ce73fa3dac192d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aejosvmsldxb\aee47a73 = 76e8bfb693fa83d863619535b982bca7f26831b5d0aa4e9f900ea717af9a34d3c37467c223abbc156d69489f2f579212a95cf3d05a4439bd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aejosvmsldxb\d1ad1585 = 05a88fff3bfa6574f8c5aa70b8447e19a62dde6e9f26cfb8bc63c49f1262d523c6ef4b1a343f4eeb4f87eda97ad3351a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Aejosvmsldxb\e432c5cb = 33a5a9cab156661a31aa5299eca10f4a18571e01bfd394eee7f0f491e555f7ab6f895e46164c2ff3c737322c57a27bf1537fd80e333367d61b0f9a7534f9c967f21f77dcbdfbc4a123fd08c46854d661f0088a55a6dcf5115ac58eba565f3ac823a52b2555b64007e3abe944a8dc6088d0ab5e6c7fa14a6fbb8f4642f705291f25fe40074647e8ce257eabdb2ba1ae3ecbfcbac9e85ac7ea9b8c20fe3769	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2560 rundll32.exe
580 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2560 rundll32.exe
580 regsvr32.exe

pid	process
2560	rundll32.exe
580	regsvr32.exe

pid	process
2560	rundll32.exe
580	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2952 wrote to memory of 2560	2952	rundll32.exe	rundll32.exe
PID 2952 wrote to memory of 2560	2952	rundll32.exe	rundll32.exe
PID 2952 wrote to memory of 2560	2952	rundll32.exe	rundll32.exe
PID 2952 wrote to memory of 2560	2952	rundll32.exe	rundll32.exe
PID 2952 wrote to memory of 2560	2952	rundll32.exe	rundll32.exe
PID 2952 wrote to memory of 2560	2952	rundll32.exe	rundll32.exe
PID 2952 wrote to memory of 2560	2952	rundll32.exe	rundll32.exe
PID 2560 wrote to memory of 2548	2560	rundll32.exe	explorer.exe
PID 2560 wrote to memory of 2548	2560	rundll32.exe	explorer.exe
PID 2560 wrote to memory of 2548	2560	rundll32.exe	explorer.exe
PID 2560 wrote to memory of 2548	2560	rundll32.exe	explorer.exe
PID 2560 wrote to memory of 2548	2560	rundll32.exe	explorer.exe
PID 2560 wrote to memory of 2548	2560	rundll32.exe	explorer.exe
PID 2548 wrote to memory of 2552	2548	explorer.exe	schtasks.exe
PID 2548 wrote to memory of 2552	2548	explorer.exe	schtasks.exe
PID 2548 wrote to memory of 2552	2548	explorer.exe	schtasks.exe
PID 2548 wrote to memory of 2552	2548	explorer.exe	schtasks.exe
PID 1872 wrote to memory of 484	1872	taskeng.exe	regsvr32.exe
PID 1872 wrote to memory of 484	1872	taskeng.exe	regsvr32.exe
PID 1872 wrote to memory of 484	1872	taskeng.exe	regsvr32.exe
PID 1872 wrote to memory of 484	1872	taskeng.exe	regsvr32.exe
PID 1872 wrote to memory of 484	1872	taskeng.exe	regsvr32.exe
PID 484 wrote to memory of 580	484	regsvr32.exe	regsvr32.exe
PID 484 wrote to memory of 580	484	regsvr32.exe	regsvr32.exe
PID 484 wrote to memory of 580	484	regsvr32.exe	regsvr32.exe
PID 484 wrote to memory of 580	484	regsvr32.exe	regsvr32.exe
PID 484 wrote to memory of 580	484	regsvr32.exe	regsvr32.exe
PID 484 wrote to memory of 580	484	regsvr32.exe	regsvr32.exe
PID 484 wrote to memory of 580	484	regsvr32.exe	regsvr32.exe
PID 580 wrote to memory of 1180	580	regsvr32.exe	explorer.exe
PID 580 wrote to memory of 1180	580	regsvr32.exe	explorer.exe
PID 580 wrote to memory of 1180	580	regsvr32.exe	explorer.exe
PID 580 wrote to memory of 1180	580	regsvr32.exe	explorer.exe
PID 580 wrote to memory of 1180	580	regsvr32.exe	explorer.exe
PID 580 wrote to memory of 1180	580	regsvr32.exe	explorer.exe
PID 1180 wrote to memory of 2272	1180	explorer.exe	reg.exe
PID 1180 wrote to memory of 2272	1180	explorer.exe	reg.exe
PID 1180 wrote to memory of 2272	1180	explorer.exe	reg.exe
PID 1180 wrote to memory of 2272	1180	explorer.exe	reg.exe
PID 1180 wrote to memory of 1116	1180	explorer.exe	reg.exe
PID 1180 wrote to memory of 1116	1180	explorer.exe	reg.exe
PID 1180 wrote to memory of 1116	1180	explorer.exe	reg.exe
PID 1180 wrote to memory of 1116	1180	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dbf66cf845c6af2445cb611215c84282_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dbf66cf845c6af2445cb611215c84282_JaffaCakes118.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn etqbjtff /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\dbf66cf845c6af2445cb611215c84282_JaffaCakes118.dll\"" /SC ONCE /Z /ST 05:07 /ET 05:19
4⤵
- Creates scheduled task(s)
PID:2552

C:\Windows\system32\taskeng.exe
taskeng.exe {4781009D-53F9-4985-8066-68A8BA763FAB} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\dbf66cf845c6af2445cb611215c84282_JaffaCakes118.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\dbf66cf845c6af2445cb611215c84282_JaffaCakes118.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Afmykhuiq" /d "0"
5⤵
- Windows security bypass
PID:2272

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Iflhqc" /d "0"
5⤵
- Windows security bypass
PID:1116

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dbf66cf845c6af2445cb611215c84282_JaffaCakes118.dll
Filesize
905KB

MD5
dbf66cf845c6af2445cb611215c84282

SHA1
ae1c4b5d117e57bf8d541edab0e0bd100db07ea1

SHA256
7cd8216e129493641bbe7f573b13425bcf52923bad83ee532abd66fed293d9fc

SHA512
300c569c6221b7d24ecee114d9cee1a7f9f6873de2ba21cf41f115f2e456a81b7348b584c1d5c442b5bfa3624538f16e3f9e7f756158a302f12187f657c984b7

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/580-27-0x0000000074390000-0x0000000074515000-memory.dmp

Filesize
1.5MB

Download
memory/580-21-0x0000000074390000-0x0000000074515000-memory.dmp

Filesize
1.5MB

Download
memory/580-22-0x0000000074390000-0x0000000074515000-memory.dmp

Filesize
1.5MB

Download
memory/580-20-0x0000000074390000-0x0000000074515000-memory.dmp

Filesize
1.5MB

Download
memory/1180-33-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1180-31-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1180-30-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1180-29-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1180-26-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2548-7-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2548-15-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2548-14-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2548-13-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2548-12-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2548-11-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2548-5-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/2560-8-0x0000000074B40000-0x0000000074CC5000-memory.dmp

Filesize
1.5MB

Download
memory/2560-0-0x0000000074B40000-0x0000000074CC5000-memory.dmp

Filesize
1.5MB

Download
memory/2560-1-0x0000000074B40000-0x0000000074CC5000-memory.dmp

Filesize
1.5MB

Download
memory/2560-4-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2560-2-0x0000000074B40000-0x0000000074CC5000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads