qakbot | ce2b4e250ac3c32f7a265f1a444386a07ec96cbcbb43510734c37b0b9da011e9

General

Target

f4de3d851eb7dd7c361282901a5fa088_JaffaCakes118.dll
Size

358KB
MD5

f4de3d851eb7dd7c361282901a5fa088
SHA1

9d8905df11662f6c1b4f39af47c1c8bb391f81c7
SHA256

ce2b4e250ac3c32f7a265f1a444386a07ec96cbcbb43510734c37b0b9da011e9
SHA512

7c55f49c9a5f2cc0b7dfcf56cb7af1d4a9ba9186cbe34e3a2d43cd2013247500e043e8f13e28a0a42b40fa89c8f81c52546db9b6ef5b164e0f24b89c6996b2dd
SSDEEP

6144:mm8HFmf2Ee5apzeJ4DSY7Dh6LUr+nxQNBO0fS:GjEuuDC1o

Score

10^/10

qakbot tr 1632730751 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

tr

Campaign

1632730751

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Eiyxfojwouov = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Gtfgwyg = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1444 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1640 schtasks.exe

pid	process
1444	regsvr32.exe

pid	process
1640	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Amaajlugeos\3e05d07d = 11fc9ce5dea82bd848c30ecdc57e481e803d64168ba59f27d68bb225215ea039c8e2587ada7ad0054b1b9ed047383ac203cc370f35a6490d8884d91c58c06f02ad749e79a5fd38f941a5ada1d4b2424f252e12e106d9ac4fb2ac14fe01b42b8433cb9d2905b50c90e6ea5ed200a9fdef090f9cef9d1542645811457ab0951b45474d6daca2ecef0396655fda548834a2e2e09a30a85ffb7b9aabf929b31b6b3cd208e8027d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Amaajlugeos\3c44f001 = bf21c75dde5d02998c06f32775c8251454155e6c50998fc75de51e46307aa9ea9906750a864c2743a42a1957a5cb4870c2ec55934cbbf6f8f13ebfc9f4702ebe04f408045785f8d443079266a7f80dd96ef75cbce751beee63854b31cc3ea7a3abb14c8a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Amaajlugeos\414cbf8b = 2200c89958940214052e09845669c86881da2633af9c4e6f10fc0118220c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Amaajlugeos\86b9b718 = 73bf8f9f040d1febbe3340a06e98113c62f8b08b4760cc6356c5d274c25c6de44ce51e742d7020744635e4ee2e04151d7424985b146aca77fafd5a86924db0ed857583333f9f996ece6a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Amaajlugeos\b9a0033 = 52290b1b75a62e81400456eccd1a7c072100418e31ebfe5df9927389986484f1c86895b638625255bfd61ffffec7491314c107c07a9c0c4dd4c90c7e4aeef810e7d8b108	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Amaajlugeos	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Amaajlugeos\b9a0033 = 52291c1b75a61bf523f5eddd9ac5b92d043df99a3b331ddcb029077dfc2db1a58ffa018ad82c516b4070c1d93b87b3	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Amaajlugeos\74d36fc5 = 0a5f911875abdb39ef8694309d2b04588b6ac4a961ec	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Amaajlugeos\84f89764 = 18cefd13bea93a99cc6e7166d8efdb6593c9c7f682bc89a4a737911ff437a44fcdc7343819959f1f7f1da88d01488fabe54f1a528cd0	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Amaajlugeos\f9f0d8ee = a6fdfc201471c10cbee93bc7f51a9e5347a38a5a6e09ff2296cafbaeac835d81b851fb8d8d3243ae123dc150651e4d8f71dc9c046ba4da65	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

3560 rundll32.exe
3560 rundll32.exe
1444 regsvr32.exe
1444 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

3560 rundll32.exe
1444 regsvr32.exe

pid	process
3560	rundll32.exe
3560	rundll32.exe
1444	regsvr32.exe
1444	regsvr32.exe

pid	process
3560	rundll32.exe
1444	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 4660 wrote to memory of 3560	4660	rundll32.exe	rundll32.exe
PID 4660 wrote to memory of 3560	4660	rundll32.exe	rundll32.exe
PID 4660 wrote to memory of 3560	4660	rundll32.exe	rundll32.exe
PID 3560 wrote to memory of 3620	3560	rundll32.exe	explorer.exe
PID 3560 wrote to memory of 3620	3560	rundll32.exe	explorer.exe
PID 3560 wrote to memory of 3620	3560	rundll32.exe	explorer.exe
PID 3560 wrote to memory of 3620	3560	rundll32.exe	explorer.exe
PID 3560 wrote to memory of 3620	3560	rundll32.exe	explorer.exe
PID 3620 wrote to memory of 1640	3620	explorer.exe	schtasks.exe
PID 3620 wrote to memory of 1640	3620	explorer.exe	schtasks.exe
PID 3620 wrote to memory of 1640	3620	explorer.exe	schtasks.exe
PID 2076 wrote to memory of 1444	2076	regsvr32.exe	regsvr32.exe
PID 2076 wrote to memory of 1444	2076	regsvr32.exe	regsvr32.exe
PID 2076 wrote to memory of 1444	2076	regsvr32.exe	regsvr32.exe
PID 1444 wrote to memory of 4472	1444	regsvr32.exe	explorer.exe
PID 1444 wrote to memory of 4472	1444	regsvr32.exe	explorer.exe
PID 1444 wrote to memory of 4472	1444	regsvr32.exe	explorer.exe
PID 1444 wrote to memory of 4472	1444	regsvr32.exe	explorer.exe
PID 1444 wrote to memory of 4472	1444	regsvr32.exe	explorer.exe
PID 4472 wrote to memory of 4524	4472	explorer.exe	reg.exe
PID 4472 wrote to memory of 4524	4472	explorer.exe	reg.exe
PID 4472 wrote to memory of 4396	4472	explorer.exe	reg.exe
PID 4472 wrote to memory of 4396	4472	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4de3d851eb7dd7c361282901a5fa088_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4de3d851eb7dd7c361282901a5fa088_JaffaCakes118.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3620

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn muzjirfov /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\f4de3d851eb7dd7c361282901a5fa088_JaffaCakes118.dll\"" /SC ONCE /Z /ST 02:48 /ET 03:00
4⤵
- Creates scheduled task(s)
PID:1640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:3128

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\f4de3d851eb7dd7c361282901a5fa088_JaffaCakes118.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\f4de3d851eb7dd7c361282901a5fa088_JaffaCakes118.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Eiyxfojwouov" /d "0"
4⤵
- Windows security bypass
PID:4524

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Gtfgwyg" /d "0"
4⤵
- Windows security bypass
PID:4396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f4de3d851eb7dd7c361282901a5fa088_JaffaCakes118.dll
Filesize
358KB

MD5
f4de3d851eb7dd7c361282901a5fa088

SHA1
9d8905df11662f6c1b4f39af47c1c8bb391f81c7

SHA256
ce2b4e250ac3c32f7a265f1a444386a07ec96cbcbb43510734c37b0b9da011e9

SHA512
7c55f49c9a5f2cc0b7dfcf56cb7af1d4a9ba9186cbe34e3a2d43cd2013247500e043e8f13e28a0a42b40fa89c8f81c52546db9b6ef5b164e0f24b89c6996b2dd

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1444-20-0x00000000016D0000-0x0000000001713000-memory.dmp

Filesize
268KB

Download
memory/1444-15-0x00000000016D0000-0x0000000001713000-memory.dmp

Filesize
268KB

Download
memory/1444-19-0x0000000010000000-0x0000000010055000-memory.dmp

Filesize
340KB

Download
memory/1444-16-0x0000000010000000-0x0000000010055000-memory.dmp

Filesize
340KB

Download
memory/3560-0-0x0000000002680000-0x00000000026C3000-memory.dmp

Filesize
268KB

Download
memory/3560-3-0x0000000010000000-0x0000000010055000-memory.dmp

Filesize
340KB

Download
memory/3560-1-0x0000000010000000-0x0000000010055000-memory.dmp

Filesize
340KB

Download
memory/3560-4-0x0000000002680000-0x00000000026C3000-memory.dmp

Filesize
268KB

Download
memory/3620-11-0x0000000000800000-0x0000000000821000-memory.dmp

Filesize
132KB

Download
memory/3620-2-0x0000000000800000-0x0000000000821000-memory.dmp

Filesize
132KB

Download
memory/3620-8-0x0000000000800000-0x0000000000821000-memory.dmp

Filesize
132KB

Download
memory/3620-7-0x0000000000800000-0x0000000000821000-memory.dmp

Filesize
132KB

Download
memory/3620-9-0x0000000000800000-0x0000000000821000-memory.dmp

Filesize
132KB

Download
memory/4472-18-0x0000000000800000-0x0000000000821000-memory.dmp

Filesize
132KB

Download
memory/4472-22-0x0000000000800000-0x0000000000821000-memory.dmp

Filesize
132KB

Download
memory/4472-23-0x0000000000800000-0x0000000000821000-memory.dmp

Filesize
132KB

Download
memory/4472-24-0x0000000000800000-0x0000000000821000-memory.dmp

Filesize
132KB

Download
memory/4472-26-0x0000000000800000-0x0000000000821000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads