qakbot | 7cd8216e129493641bbe7f573b13425bcf52923bad83ee532abd66fed293d9fc

General

Target

dbf66cf845c6af2445cb611215c84282_JaffaCakes118.dll
Size

905KB
MD5

dbf66cf845c6af2445cb611215c84282
SHA1

ae1c4b5d117e57bf8d541edab0e0bd100db07ea1
SHA256

7cd8216e129493641bbe7f573b13425bcf52923bad83ee532abd66fed293d9fc
SHA512

300c569c6221b7d24ecee114d9cee1a7f9f6873de2ba21cf41f115f2e456a81b7348b584c1d5c442b5bfa3624538f16e3f9e7f756158a302f12187f657c984b7
SSDEEP

12288:dU7AzcO18OcZtc98uEE8aPfR6xa7jg0Ii3pSGdSJbbIclZg5i0WBRLuMdgX2rbnj:GAzcO1T0yfR6lxcYIYZDqM9n7Bn

Score

10^/10

qakbot obama116 1634289383 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama116

Campaign

1634289383

C2

41.228.22.180:443

188.55.249.239:995

120.150.218.241:995

37.117.191.19:2222

68.204.7.158:443

81.241.252.59:2078

196.207.140.40:995

174.54.193.186:443

63.143.92.99:995

197.89.144.200:443

86.220.112.26:2222

73.52.50.32:443

103.82.211.39:465

146.66.238.74:443

167.248.117.81:443

2.222.167.138:443

181.118.183.94:443

103.82.211.39:995

78.179.137.102:995

89.137.52.44:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Njfiu = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Baaag = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1216 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5096 schtasks.exe

pid	process
1216	regsvr32.exe

pid	process
5096	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ufehbwxyucq\5845f23a = 990ea39d22aede96d9d223a043aa70cc321e53cd1b8286a444dc7aaf367f1238082d552b2c988f855ef109f925f9322906552572b904b85e3c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ufehbwxyucq\6f9b0208 = ed62b735efd63335f128f6a7fcec86dd9d8d6949c001ae7253e5c41b559e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ufehbwxyucq\d727656d = 7616d70be7bb7371e3e40cb69f6379c60ab0ce573766160a7f57a26a0b4f328e67046353f1b745d3ef1cb6dfe8258bf0ff394d931171c91581abe4cfa20aaf3baeb8ceaa906a8213329a31eabe35c80762d8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ufehbwxyucq\aa2f2ae7 = f28953a469c55f3a6991884dcb63e2e3af	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ufehbwxyucq\270c9dcc = 45786bccc670f2e5a5d907979cbf72	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ufehbwxyucq\5845f23a = 990eb49d22aeeb5f3ecba9f4683039dd51a4849f3fa8558de1ff910ab706f2fe9af656818b1e130a20a2360f1e6760549cbe7a6b4af81aae916ca766d90db8e3d7a96a55a9decbb44b974b2c1fe4	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ufehbwxyucq	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ufehbwxyucq\6dda2274 = 303439e7e8f5f03589c8a22357efc4ab2e2b66b25604b19049bd3e36ff579a69a53051e8623823d6405de338e49b428f7b19c19fe8b1344bd05d6e003b190f253dafa35656db99a2755db46834987d3b826adb5ec00691d8ca0d92aa6dae24102ead05166f00a7ebf2cb0220cd08f30850771f0846db347790becfda29af61fca1c9b3a53380b0700e59269d238dfcd877900fa3c3cccb0aa4875533808802af514213ad9be0386a30	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ufehbwxyucq\12934d82 = f650f3e846a05ab50c7aeb387970e851c522abd801	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ufehbwxyucq\d5664511 = 01120f5177d0b2f96a323ee394ab1504365a8cb24efb66e5edbc32993f7426bb656788bdbaec	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

3460 rundll32.exe
3460 rundll32.exe
1216 regsvr32.exe
1216 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

3460 rundll32.exe
1216 regsvr32.exe

pid	process
3460	rundll32.exe
3460	rundll32.exe
1216	regsvr32.exe
1216	regsvr32.exe

pid	process
3460	rundll32.exe
1216	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 4564 wrote to memory of 3460	4564	rundll32.exe	rundll32.exe
PID 4564 wrote to memory of 3460	4564	rundll32.exe	rundll32.exe
PID 4564 wrote to memory of 3460	4564	rundll32.exe	rundll32.exe
PID 3460 wrote to memory of 3500	3460	rundll32.exe	explorer.exe
PID 3460 wrote to memory of 3500	3460	rundll32.exe	explorer.exe
PID 3460 wrote to memory of 3500	3460	rundll32.exe	explorer.exe
PID 3460 wrote to memory of 3500	3460	rundll32.exe	explorer.exe
PID 3460 wrote to memory of 3500	3460	rundll32.exe	explorer.exe
PID 3500 wrote to memory of 5096	3500	explorer.exe	schtasks.exe
PID 3500 wrote to memory of 5096	3500	explorer.exe	schtasks.exe
PID 3500 wrote to memory of 5096	3500	explorer.exe	schtasks.exe
PID 3312 wrote to memory of 1216	3312	regsvr32.exe	regsvr32.exe
PID 3312 wrote to memory of 1216	3312	regsvr32.exe	regsvr32.exe
PID 3312 wrote to memory of 1216	3312	regsvr32.exe	regsvr32.exe
PID 1216 wrote to memory of 264	1216	regsvr32.exe	explorer.exe
PID 1216 wrote to memory of 264	1216	regsvr32.exe	explorer.exe
PID 1216 wrote to memory of 264	1216	regsvr32.exe	explorer.exe
PID 1216 wrote to memory of 264	1216	regsvr32.exe	explorer.exe
PID 1216 wrote to memory of 264	1216	regsvr32.exe	explorer.exe
PID 264 wrote to memory of 3480	264	explorer.exe	reg.exe
PID 264 wrote to memory of 3480	264	explorer.exe	reg.exe
PID 264 wrote to memory of 4476	264	explorer.exe	reg.exe
PID 264 wrote to memory of 4476	264	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dbf66cf845c6af2445cb611215c84282_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\dbf66cf845c6af2445cb611215c84282_JaffaCakes118.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3500
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn glbgnlik /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\dbf66cf845c6af2445cb611215c84282_JaffaCakes118.dll\"" /SC ONCE /Z /ST 05:07 /ET 05:19
      4⤵
      Creates scheduled task(s)
      PID:5096

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\dbf66cf845c6af2445cb611215c84282_JaffaCakes118.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\dbf66cf845c6af2445cb611215c84282_JaffaCakes118.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:264
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Njfiu" /d "0"
      4⤵
      Windows security bypass
      PID:3480
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Baaag" /d "0"
      4⤵
      Windows security bypass
      PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dbf66cf845c6af2445cb611215c84282_JaffaCakes118.dll

Filesize
905KB

MD5
dbf66cf845c6af2445cb611215c84282

SHA1
ae1c4b5d117e57bf8d541edab0e0bd100db07ea1

SHA256
7cd8216e129493641bbe7f573b13425bcf52923bad83ee532abd66fed293d9fc

SHA512
300c569c6221b7d24ecee114d9cee1a7f9f6873de2ba21cf41f115f2e456a81b7348b584c1d5c442b5bfa3624538f16e3f9e7f756158a302f12187f657c984b7

Download Submit
memory/264-28-0x0000000000470000-0x0000000000491000-memory.dmp

Filesize
132KB

Download
memory/264-27-0x0000000000470000-0x0000000000491000-memory.dmp

Filesize
132KB

Download
memory/264-26-0x0000000000470000-0x0000000000491000-memory.dmp

Filesize
132KB

Download
memory/264-23-0x0000000000470000-0x0000000000491000-memory.dmp

Filesize
132KB

Download
memory/1216-24-0x0000000073E40000-0x0000000073FC5000-memory.dmp

Filesize
1.5MB

Download
memory/1216-21-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/1216-19-0x0000000073E40000-0x0000000073FC5000-memory.dmp

Filesize
1.5MB

Download
memory/1216-18-0x0000000073E40000-0x0000000073FC5000-memory.dmp

Filesize
1.5MB

Download
memory/3460-5-0x00000000755F0000-0x0000000075775000-memory.dmp

Filesize
1.5MB

Download
memory/3460-0-0x00000000755F0000-0x0000000075775000-memory.dmp

Filesize
1.5MB

Download
memory/3460-4-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/3460-1-0x00000000755F0000-0x0000000075775000-memory.dmp

Filesize
1.5MB

Download
memory/3460-2-0x00000000755F0000-0x0000000075775000-memory.dmp

Filesize
1.5MB

Download
memory/3500-14-0x0000000000D30000-0x0000000000D51000-memory.dmp

Filesize
132KB

Download
memory/3500-12-0x0000000000D30000-0x0000000000D51000-memory.dmp

Filesize
132KB

Download
memory/3500-11-0x0000000000D30000-0x0000000000D51000-memory.dmp

Filesize
132KB

Download
memory/3500-10-0x0000000000D30000-0x0000000000D51000-memory.dmp

Filesize
132KB

Download
memory/3500-6-0x0000000000D30000-0x0000000000D51000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads